JP4997769B2 - Cryptographic communication system, key sharing method, and key providing apparatus - Google Patents

Description

The present invention relates to an encryption communication system in which each information processing apparatus can share a key for realizing encryption communication between information processing apparatuses forming a group, and key sharing applied to such an encryption communication system method, the key providing device, about the key providing program.

  Conventionally, various systems for managing keys shared within a group by a server have been proposed in order to prevent eavesdropping from others and to realize broadcast communication safely within the group. An example of such a system is described in US Pat. FIG. 12 is a configuration diagram showing the configuration of the system described in Patent Document 1. As shown in FIG. However, the code shown in FIG. 12 is different from the code used in Patent Document 1. As shown in FIG. 12, the system described in Patent Literature 1 has a configuration in which a plurality of computers 52-1 to 52-4, an authentication server 54, and a group management server 55 are connected to a network 51. ing. On each of the computers 52-1 to 52-4, processes A (53-1), B (53-2), C (53-3), and D (53-4) are operating.

  Here, the process until the computer 52-1 holds the shared encryption key g1 will be described as an example. The shared encryption key is a key used for data encryption or decryption when performing secret communication (encrypted communication) within the group. The shared encryption key may be referred to as a group key.

  The secret key A is a secret key (common key) held by the computer 52-1 and the authentication server 54. The process A obtains the authentication information encrypted with the conversation key a encrypted with the secret key A and the secret key α of the group management server 55 from the authentication server 54. This authentication information includes the conversation key a. Next, the process A decrypts the authentication information with its own encryption key A to obtain the conversation key a, and applies to the group management server 55 for joining the group using the authentication information. The group management server 55 checks the authentication by decrypting the authentication information with its own encryption key α, and obtains the conversation key a. Then, the group management server 55 distributes the shared encryption key g1 encrypted with the conversation key a to the process A. The process A decrypts the encrypted shared encryption key g1 with the conversation key a, and performs broadcast encryption communication using the shared encryption key (group key) g1.

Japanese Patent Laid-Open No. 7-66803 (page 4-8, FIG. 1)

  In an information processing apparatus (computer) connected to an ad hoc network, the information processing apparatuses forming a group are each connected to the network asynchronously or disconnected from the network. Even in such a case, it is preferable that the information processing apparatuses forming the group can share the group key. In the system described in Patent Document 1, when the authentication server and the group management server are not connected to the network, each computer cannot obtain a shared encryption key. Even if not all the information processing devices forming each server or group are connected to the network, it is preferable that each information processing device forming the group can share the shared encryption key.

  In the system described in Patent Document 1, only a group management server manages a group formed from a plurality of computers. Therefore, when the number of computers forming a group increases, there is a problem that the load on the group management server increases.

  In the system described in Patent Document 1, each computer directly communicates with an authentication server and a group management server, and each computer obtains a group key from the group management server. By the way, in a sensor network, when many terminal sensor nodes and a server communicate, the sensor node which relays communication between a terminal sensor node and a server may be provided. When the system described in Patent Document 1 is applied to such a sensor network system, each terminal sensor node (corresponding to the computer shown in FIG. 12) obtains a group key from the group management server. This causes a problem that the processing of the sensor node that performs relay increases.

  Therefore, the present invention is an information processing apparatus connected to an ad hoc network, and the information processing apparatus is connected to the network even when the information processing apparatuses forming the group are asynchronously connected to the network. An object is to enable each information processing apparatus to share a group key at the time. Note that holding information common to a plurality of information processing apparatuses also corresponds to “sharing”.

  Another object of the present invention is to suppress an increase in the load on the group management server due to an increase in the number of information processing devices, even in a scalable system capable of increasing the number of information processing devices forming a group. To do.

  In addition, the present invention can reduce the amount of processing of an information processing device even when the information processing device forming a group includes an information processing device that relays communication between another information processing device and a server. The purpose is to be able to suppress the increase.

A cryptographic communication system according to the present invention is a cryptographic communication system that includes a plurality of information processing apparatuses, at least a part or all of which forms a group, and a group used when information processing apparatuses forming a group perform cryptographic communication. Key information generating means for generating key information including group key encrypted data obtained by encrypting a key and identification information of each information processing device forming the group, and connecting the key information to the communication network via the communication network Key information transmitting means for transmitting to only one information processing apparatus , each information processing apparatus connecting the key information to the communication network when receiving the key information transmitted by the key information transmitting means Identification information of the own device is included in the key information sharing means shared with each information processing device and the key information shared with other information processing devices. Occasionally, characterized in that it comprises a decoding means for decoding a group key from the group key encrypted data contained in the key information.

  According to such a configuration, when each information processing apparatus receives the key information transmitted by the key information transmission unit, the key information is shared with each information processing apparatus connected to the communication network. Key information sharing means, and decryption means for decrypting the group key from the group key encrypted data included in the key information when the identification information of the own apparatus is included in the key information shared with the other information processing apparatus. Therefore, the information processing apparatus connected to the ad hoc can also share the key information and decrypt the group key. Moreover, since key information should just be transmitted to one information processing apparatus, the increase in the load of a key information transmission means can be suppressed.

  Group key encryption data comprising public key storage means for storing the public key of each information processing apparatus forming a group, wherein the key information generation means encrypts the group key with the public key of each information processing apparatus forming the group Secret key storage means for generating key information including a combination of group key encryption data and identification information for each information processing device forming a group, and each information processing device stores its own secret key And the decryption means of each information processing device may decrypt the group key from the group key encryption data combined with the identification information of the own device using the secret key of the own device.

  A public key storage unit that stores a public key of each information processing apparatus that forms a group is provided, and a key information generation unit generates group key encrypted data by encrypting the group key with a key encryption key to form a group Generates key encryption key encryption data by encrypting the key encryption key with the public key of each information processing device, and generates group key encryption data, identification information and key encryption key for each information processing device forming the group Key information including a combination of encrypted data is generated, and each information processing device includes a secret key storage unit that stores a secret key of the own device, and a decryption unit of each information processing device uses the secret key of the own device. The key encryption key may be decrypted from the key encryption key encryption data combined with the identification information of the own device, and the group key may be decrypted from the group key encryption data using the key encryption key.

  Group key encryption data comprising common key storage means for storing a common key of each information processing apparatus forming a group, wherein the key information generating means encrypts the group key with the common key of each information processing apparatus forming the group And generating key information including a combination of the group key encryption data and identification information for each information processing device forming the group, and each information processing device stores its own device common key. The storage unit may be configured such that the decryption unit of each information processing device decrypts the group key from the group key encryption data combined with the identification information of the own device using the common key of the own device.

  A common key storage unit that stores a common key of each information processing apparatus forming the group is provided, and the key information generation unit generates the group key encrypted data by encrypting the group key with the key encryption key, and forms the group Generate key encryption key encryption data by encrypting the key encryption key with the common key of each information processing device, group key encryption data, identification information and key encryption key for each information processing device forming a group Key information including a combination of encrypted data is generated, and each information processing device includes own device common key storage means for storing the common key of the own device. Even if the key encryption key is decrypted from the key encryption key encryption data combined with the identification information of the own device and the group key is decrypted from the group key encryption data using the key encryption key. Good.

  According to such a configuration, since the common key is used, the processing capability of the key information generation unit and the information processing apparatus may not be high.

Also, the cryptographic communication system according to the present invention is a cryptographic communication system including a plurality of information processing devices, at least a part or all of which forms a group, and each information processing device forming a group has a common key and each information Common key storage means for storing tree structure data indicating the hierarchy of a common key of a processing device and having node identification information for identifying each node, and common to information processing devices not belonging to a group Generates group key encryption data that encrypts the group key with the common key of the node closest to the root, excluding the key, and excludes the group key encryption data and the common key of the information processing device that does not belong to the group Key information generating means for generating key information including a combination with the node identification information of the node closest to the root, and the key information is connected to the communication network via the communication network. And a key information transmission means for transmitting only on a single information processing apparatus that, the information processing apparatus, when receiving the key information transmitted by the key information transmission means, connected to key information to the communication network Key information sharing means shared with each information processing device and key information shared with other information processing devices include node identification information corresponding to the common key of the own device. And decryption means for decrypting the group key from the included group key encryption data.

  Each information processing device includes own device common key storage means for storing the own device common key, and each information processing device decryption means responds to the key information shared with other information processing devices according to the own device common key. When the node identification information is included, the group key may be decrypted from the group key encryption data combined with the contact identification information using the common key of the own device corresponding to the contact identification information. .

The cryptographic communication system according to the present invention is a cryptographic communication system including a plurality of information processing devices, at least part or all of which forms a group, the common key of each information processing device forming a group, and each information processing device A common key storage means for storing tree structure data indicating the hierarchy of the common key and the tree structure data in which node identification information for identifying each node is defined, and the group key is encrypted with a key encryption key. Generate group key encryption data, generate key encryption key encryption data by encrypting the key encryption key with the common key of the node closest to the root excluding the common key of the information processing device not belonging to the group, Generates key information including the group key encryption data and the combination of the node identification information of the node closest to the root and the key encryption key encryption data except for the common key of the information processing device not belonging to the group A key information generating means, the key information, via the communication network, and a key information transmission means for transmitting only on a single information processing apparatus connected to a communication network, the information processing apparatus, the key information transmission When the key information transmitted by the means is received, the key information sharing means for sharing the key information with each information processing device connected to the communication network, and the key information shared with other information processing devices And decryption means for decrypting the group key from the group key encryption data included in the key information when node identification information corresponding to the common key of the own device is included.

  According to such a configuration, when each information processing apparatus receives the key information transmitted by the key information transmission unit, the key information is shared with each information processing apparatus connected to the communication network. When the key information shared with the key information sharing means and the other information processing device includes node identification information corresponding to the common key of the own device, the group key is determined from the group key encryption data included in the key information. Therefore, the information processing apparatus connected to the ad hoc can also share the key information and decrypt the group key. Moreover, since key information should just be transmitted to one information processing apparatus, the increase in the load of a key information transmission means can be suppressed.

Each information processing device includes its own device common key storage means for storing its own common key, and the decryption means of each information processing device responds to the key information shared with other information processing devices according to its own common key. When the node identification information is included, the key encryption key is decrypted from the key encryption key encryption data combined with the contact identification information using the common key of the device corresponding to the contact identification information, and the key The configuration may be such that the group key is decrypted from the group key encryption data using the encryption key.
Further, when the key information generation unit receives information indicating an information processing device to be invalidated in the group and information indicating an information processing device newly added in place of the information processing device to be invalidated. The key information is generated again after replacing the node indicating the common key of the information processing device to be invalidated with the node indicating the common key of the information processing device to be newly added among the nodes of the tree structure data. When the key information is generated, the common key indicated by the replaced node is newly held by the information processing device that is already held without being invalidated or the information processing device that remains without being invalidated. A combination of the node identification number indicating the encrypted common key, the node identification information indicating the common key used for encryption, and the data obtained by encryption Include each key in the key information The device includes own device common key storage means for storing the common key of the own device, and the decryption means of each information processing device includes a node identification number indicating the encrypted common key included in the key information, and encryption. When the node indicating the common key stored in its own device common key storage means is replaced with reference to the combination of the node identification information indicating the common key used and the data obtained by encryption The data obtained by the encryption may be decrypted with the common key used for the encryption, and the decrypted common key may be stored in the own device common key storage means.

  Each time the key information generating means updates the group key, the group key encrypted data obtained by encrypting the group key is added to the key information, and the version information corresponding to the group key encrypted data included in the key information is assigned. The processing device encrypts the communication content to other information processing devices with the group key, and adds the communication data in which the version information corresponding to the group key and the access information for accessing the key information are added to the encrypted data. A configuration including communication data transmission means for generating and transmitting communication data to another information processing apparatus may be employed.

    Each information processing apparatus includes a determination unit that determines whether or not the group key corresponding to the version information added to the communication data is held when the communication data is received from another information processing apparatus. When the information sharing means determines that the group key corresponding to the version information added to the communication data is not held, the information sharing means accesses the key information by the access information added to the communication data, and the decrypting means The group key may be decrypted from the group key encryption data to which version information is assigned in the key information.

  According to such a configuration, when the key information sharing unit determines that the group key corresponding to the version information added to the communication data is not held, the key is shared by the access information added to the communication data. Since the information is accessed, the information processing apparatuses can share the key information even when the key information transmitting means is not connected to the communication network.

  A server including key information transmission means, and some information processing devices relay communication between the other information processing devices and the server, and some servers store the key information, The information processing device may be configured to receive key information from a part of the information processing devices when the information processing device is connected to the communication network from the state not connected to the communication network.

  According to such a configuration, even when the information processing apparatus is connected to the communication network, some information processing apparatuses that perform communication relay do not need to relay communication between the information processing apparatus and the server. . Accordingly, it is possible to suppress an increase in the load on some information processing apparatuses that perform communication relay.

A key sharing method according to the present invention is a key sharing method applied to an encryption communication system including a plurality of information processing apparatuses, at least a part or all of which forms a group, wherein the key information generating means forms a group. Generating key information including group key encryption data obtained by encrypting a group key used when information processing apparatuses perform encrypted communication, and identification information of each information processing apparatus forming a group, and a key information transmission unit, When the key information is transmitted to only one information processing apparatus connected to the communication network via the communication network, and the key information sharing means of the one information processing apparatus receives the key information, the key information Is shared with each information processing device connected to the communication network, and the decryption means of each information processing device includes the identification information of its own device in the key information shared with other information processing devices. When being characterized by decoding the group key from a group key encryption data contained in the key information.

The key sharing method according to the present invention is a key sharing method applied to an encryption communication system including a plurality of information processing apparatuses, at least a part or all of which forms a group. A common key of each information processing device to be formed, and tree structure data indicating a hierarchy of the common key of each information processing device and having node identification information for identifying each node; The information generation means generates group key encryption data obtained by encrypting the group key with the common key of the node closest to the root, excluding the common key of the information processing apparatus not belonging to the group, and the group key encryption data and the group Key information including a combination with the node identification information of the node closest to the root, excluding the common key of the information processing device that does not belong to the key, and the key information transmission means transmits the key information via the communication network. Te, and sent only to a single information processing apparatus connected to a communication network, the key information sharing unit of one information processing apparatus, when receiving the key information, and is connected to the key information to the communication network When the node identification information corresponding to the common key of its own device is included in the key information shared with each information processing device and the decryption means of each information processing device is shared with the other information processing device, The group key is decrypted from the group key encryption data included in the key information.

The key sharing method according to the present invention is a key sharing method applied to an encryption communication system including a plurality of information processing apparatuses, at least a part or all of which forms a group. A common key of each information processing device to be formed, and tree structure data indicating a hierarchy of the common key of each information processing device and having node identification information for identifying each node; The information generation means encrypts the group key with the key encryption key to generate the group key encryption data, and the key encryption is performed with the common key of the node closest to the root among the information processing devices that do not belong to the group. Key encryption key encryption data that encrypts the encryption key is generated, and the node identification information and key encryption of the node closest to the root, excluding the group key encryption data and the common key of the information processing device that does not belong to the group Key encryption It generates key information containing a combination of chromatography data, key information transmission means, the key information, via the communication network, and transmits only a single information processing apparatus connected to a communication network, one information When the key information sharing unit of the processing device receives the key information, the key information is shared with each information processing device connected to the communication network, and the decryption unit of each information processing device receives other information. When the key information shared with the processing device includes node identification information corresponding to the common key of the own device, the group key is decrypted from the group key encryption data included in the key information.
Further, the own device common key storage unit of each information processing device stores the common key of the own device, and the key information generation unit displays information indicating the information processing device to be invalidated in the group, and the invalidation. When information indicating an information processing device to be newly added in place of the information processing device is input, a node indicating a common key of the information processing device to be invalidated is newly added among the nodes of the tree structure data. Information that remains without being revoked when the key information is generated again and the key information is generated again after replacing the node with the common key of the information processing device. Encrypt with the common key already held by the processing device or the common key that the information processing device that remains uninvalidated will newly hold, the node identification number indicating the encrypted common key, and the encryption Node identification information indicating the common key used The combination with the data obtained by encryption is included in the key information, and the decryption means of each information processing device uses the node identification number indicating the encrypted common key included in the key information and the common key used for encryption. When the node indicating the common key stored in its own device common key storage means is replaced with reference to the combination of the node identification information indicating and the data obtained by encryption, encryption is performed. The obtained data may be decrypted with the common key used for the encryption, and the decrypted common key may be stored in the device common key storage means.

A key providing apparatus according to the present invention is a key providing apparatus that is applied to an encryption communication system that includes a plurality of information processing apparatuses, at least a part or all of which forms a group. Key information generating means for generating key information including group key encrypted data obtained by encrypting a group key used for communication, and identification information of each information processing device forming the group, key information is transmitted to the communication network And key information transmitting means for transmitting only to one information processing apparatus connected to the communication network.

The key providing apparatus according to the present invention is a key providing apparatus applied to an encryption communication system including a plurality of information processing apparatuses, at least a part or all of which forms a group, and each information processing apparatus forming a group A common key storage means for storing the common key of each of the information processing devices and the tree structure data indicating the hierarchy of the common key of each information processing apparatus and having node identification information for identifying each node; Generates group key encryption data by encrypting the group key with the common key of the node closest to the root, excluding the common key of the information processing device that does not belong, and the group key encryption data and the information processing device that does not belong to the group Key information generating means for generating key information including a combination of node identification information of nodes closest to the root excluding the common key, and the key information is transmitted to the communication network via the communication network. Characterized in that a key information transmitting means for transmitting only the connected single information processing apparatus to the click.

The key providing apparatus according to the present invention is a key providing apparatus applied to an encryption communication system including a plurality of information processing apparatuses, at least a part or all of which forms a group, and each information processing apparatus forming a group A common key storage means for storing the common key of each of the information processing devices and the tree structure data indicating the hierarchy of the common key of each information processing apparatus and having node identification information for identifying each node; and a group key The key encryption key is generated with the key encryption key to generate group key encryption data, and the key encryption key is encrypted with the common key of the node closest to the root, excluding the common key of the information processing device that does not belong to the group The encryption key encryption data is generated, and the combination of the group key encryption data, the node identification information of the node closest to the root, and the key encryption key encryption data, excluding the common key of the information processing device that does not belong to the group A key information generating means for generating key information comprising a key information, via the communication network, further comprising a key information transmitting means for transmitting only on a single information processing apparatus connected to a communication network Features.
Further, when the key information generation unit receives information indicating an information processing device to be invalidated in the group and information indicating an information processing device newly added in place of the information processing device to be invalidated. The key information is generated again after replacing the node indicating the common key of the information processing device to be invalidated with the node indicating the common key of the information processing device to be newly added among the nodes of the tree structure data. When the key information is generated, the common key indicated by the replaced node is newly held by the information processing device that is already held without being invalidated or the information processing device that remains without being invalidated. A combination of the node identification number indicating the encrypted common key, the node identification information indicating the common key used for encryption, and the data obtained by encryption It is a configuration included in the key information. It may be.

A key providing program according to the present invention is a key providing program installed in a computer applied to an encryption communication system provided with a plurality of information processing devices, at least a part or all of which forms a group. Key information generation that generates key information including group key encryption data obtained by encrypting a group key used when information processing apparatuses forming a group perform encrypted communication, and identification information of each information processing apparatus forming the group It is characterized in that key information transmission processing for transmitting processing and key information to only one information processing apparatus connected to the communication network is executed via the communication network.

A key providing program according to the present invention is applied to an encryption communication system including a plurality of information processing apparatuses, at least part or all of which forms a group, and a common key of each information processing apparatus forming a group and each information A key providing program mounted on a computer having common key storage means for storing tree structure data indicating a hierarchy of a common key of the processing device and having tree identification data in which node identification information for identifying each node is defined And generating a group key encrypted data obtained by encrypting the group key with the common key of the node closest to the root, excluding the common key of the information processing apparatus not belonging to the group, Key information generation that generates key information including a combination of the node identification information of the node closest to the root among information processing devices that do not belong to the group Management, and the key information, via the communication network, characterized in that to execute the key information transmission to be transmitted only on a single information processing apparatus connected to a communication network.

A key providing program according to the present invention is applied to an encryption communication system including a plurality of information processing apparatuses, at least part or all of which forms a group, and a common key of each information processing apparatus forming a group and each information A key providing program mounted on a computer having common key storage means for storing tree structure data indicating a hierarchy of a common key of the processing device and having tree identification data in which node identification information for identifying each node is defined The group key encryption data is generated by encrypting the group key with the key encryption key in the computer, and the common key of the node closest to the root among the information processing devices not belonging to the group is excluded. Generates key encryption key encryption data that encrypts the key encryption key, and is the closest to the root of the group key encryption data and the common key of the information processing device that does not belong to the group The key information generation process of generating key information comprising a combination of the node identification information and key encryption key encrypted data points, and the key information, via the communication network, a single information processing that is connected to the communication network A key information transmission process for transmitting only to the apparatus is executed.
Further, when information indicating an information processing device to be invalidated in the group and information indicating an information processing device newly added in place of the information processing device to be invalidated are input to the computer, a tree structure Replace the node indicating the common key of the information processing device to be invalidated with the node indicating the common key of the information processing device to be newly added, and execute the key information generation process again. In the key information generation process, the common key indicated by the replaced node is newly held by the common key already held by the information processing apparatus that remains without being invalidated or by the information processing apparatus that remains without being invalidated The key information is a combination of the node identification number indicating the encrypted common key, the node identification information indicating the common key used for encryption, and the data obtained by encryption. To include It may be a program.

  According to the present invention, an information processing apparatus connected to an ad hoc can also share key information and decrypt a group key. Moreover, since key information should just be transmitted to one information processing apparatus, the increase in the load of a key information transmission means can be suppressed. Even if a device that relays communication between the key information transmission unit and the information processing device is provided, an increase in the load on the device can be suppressed.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

Embodiment 1 FIG.
FIG. 1 is a block diagram showing a first embodiment of a cryptographic communication system according to the present invention. The cryptographic communication system according to the first embodiment includes an authentication server 4, a group management server (key providing device) 5, and computers (information processing devices) 2-1 to 2-4 that operate by program control. The authentication server 4, the group management server 5, and the computers 2-1 to 2-4 are connected to a communication network (hereinafter simply referred to as a network) 1. Each of the computers 2-1 to 2-4 is connected to the network 1 in an ad hoc manner. That is, each computer is temporarily connected to the network when communicating with other computers, and disconnects from the network 1 after communication with the other computers is completed. Although FIG. 1 illustrates four computers 2-1 to 2-4, the number of computers is not particularly limited.

  At least some or all of the computers 2-1 to 2-4 connected to the network 1 form the same group. Computers that do not form a group (that is, do not belong to a group) may be connected to the network 1. However, even a computer that does not belong to a group includes a key information sharing unit and a key information analysis unit, which will be described later, and shares key information with other computers.

  Note that holding information common to a plurality of information processing apparatuses (computers) also corresponds to “sharing”. Therefore, sharing key information also means that computers send and receive key information and each computer holds key information.

  Each of the computers 2-1 to 2-4 holds a secret key determined so as to be held only by the respective computers themselves. The computer 2-1 holds the secret key Ap. Similarly, the computers 2-2 to 2-4 hold a secret key Bp, a secret key Cp, and a secret key Dp, respectively. Similarly, the group management server 5 holds a secret key αp determined so that only the group management server 5 holds it. Each of these secret keys Ap, Bp, Cp, Dp, and αp is paired with a public key and used when performing cryptographic communication. The public keys corresponding to the secret keys Ap, Bp, Cp, Dp, and αp held by the computers 2-1 to 2-4 and the group management server 5 are Au, Bu, Cu, Du, and αu, respectively.

  Each of the computers 2-1 to 2-4 also holds a public key αu corresponding to the secret key αp held by the group management server 5 in addition to the secret key of each computer.

  The authentication server 4 is a CA (Certificate Authority) for authenticating the computers 2-1 to 2-4 and the group management server 5, and the public keys Au of the computers 2-1 to 2-4 and the group management server 5 , Bu, Cu, Du, αu. These public keys may be in the form of public key certificates.

  In addition to the secret key αp, the group management server 5 holds a shared encryption key (group key) used for encryption and decryption of communication data transmitted / received between the computers forming the group (that is, the computers belonging to the group). To do. Although the shared encryption key g1 is shown in FIG. 1, the group management server 5 may update and provide the shared encryption key. The update timing of the shared encryption key is not particularly limited. For example, when a group is changed, that is, when a computer is added to a group and registered, or a computer registered as a computer belonging to the group is excluded from the group. In such a case, the shared encryption key may be updated. Here, the registration of computers belonging to a group means that the group management server stores each computer belonging to the group in a state where it can be distinguished from other computers, as shown in the process of step S1 described later. In the following description, a case where the group management server 5 provides the computer with the shared encryption key g1 will be described as an example. Further, the group management server 5 holds a KEK (Key Encryption Key) for encrypting the shared encryption key and uses the KEK for sharing the shared encryption key g1 from the viewpoint of improving the security performance. May be. However, KEK is omitted in FIG. Furthermore, the group management server 5 acquires (for example, receives from the authentication server 4 via the network 1) and holds the public keys Au, Bu, Cu, Du of each computer. The computers 2-1 to 2-4 may hold public keys, and the group management server 5 may receive and hold public keys from the computers 2-1 to 2-4.

  The group management server 5 stores identification information for identifying each computer for each computer. Hereinafter, identification information that can identify each computer is referred to as a peer ID. For example, the ID of the public key certificate of each computer may be used as the peer ID. For example, the same data as the public key of each computer may be used as the peer ID. In addition, when an ID in the network is individually assigned to each computer, the ID may be used as a peer ID. Peer ID will not be specifically limited if it is the information which can identify each computer.

  FIG. 2 is a block diagram illustrating a configuration example of the group management server. The group management server 5 includes a control unit 31, a storage device 32, a network interface unit 33, and an input unit 34. The control unit 31 operates according to a key providing program stored in the storage device 32. In addition to the key providing program, the storage device 32 stores a secret key αp, a shared encryption key (group key) g1, and peer IDs of the computers 2-1 to 2-4. Although not shown, the storage device 32 stores the public keys Au, Bu, Cu, Du of each computer received from the authentication server 4 (may be each computer) in association with the peer ID. . The network interface unit 33 is an interface with the network 1. The input unit 34 is, for example, an input device such as a keyboard or a mouse. However, the form of the input unit 34 is not limited as long as the device can input information. Information of each computer forming the group is input to the input unit 34.

  Further, as a mode of generating key information described later, a shared encryption key (group key) is encrypted with a key of each computer belonging to the group (which may be a public key or a common key, but in this embodiment, a public key). There are a mode and a mode in which the shared encryption key (group key) is encrypted by KEK. When the shared encryption key is encrypted with KEK, the storage device 32 also stores KEK for encrypting the shared encryption key.

  The control unit 31 of the group management server 5 acquires the public key of each computer. In addition, the control unit 31 uses the data obtained by encrypting the shared encryption key g1 with the keys of the computers belonging to the group (which may be a public key or a common key, but in this embodiment, the public key) or the shared encryption key g1. Information including data encrypted with KEK and a peer ID (hereinafter referred to as key information) is generated. The key information will be described later with reference to FIG. The control unit 31 of the group management server 5 may transmit the key information to any one computer connected to the network 1. The computer that has received this key information shares the key information with all the computers connected to the network 1 (regardless of whether or not they belong to a group).

  Next, a computer (information processing apparatus) will be described. Here, the computer 2-1 will be described as an example, but the same applies to the other computers 2-2 to 2-4. The computer 2-1 includes a key information sharing unit 7-1 and a key information analysis unit 8-1.

  When the key information sharing unit 7-1 receives the key information from the group management server 5, the key information sharing unit 7-1 shares the key information with the key information sharing units 7-2 to 7-4 of the other computers. For example, the key information sharing unit 7-1 may transmit the key information received from the group management server 5 to the key information sharing units 7-2 to 7-4 of other computers. In this case, the key information sharing unit 7-1 may transmit the key information to the key information sharing units 7-2 to 7-4 of other computers by broadcast transmission. Alternatively, the key information sharing unit creates a copy of the key information received from the group management server 5, transmits the copy to the other computer, and then receives the key information (copy of the key information). The operation in which the key information sharing unit makes a copy of the key information and transmits the copy to another computer may be repeated (that is, the key information sharing unit of each computer transmits the key information in a bucket relay manner). And each computer may hold the key information.) In addition, by using a peer-to-peer file sharing system such as KaZaA or Gnutella, the key information is shared with the key information sharing unit of each other computer. Also good. Further, the key information may be shared with the key information sharing unit of each other computer by DHT (Distributed Hash Table). Here, the key information sharing unit 7-1 has been described as an example, but the same applies to the key information sharing units 7-2 to 7-4 of other computers.

  Based on the key information, the key information analysis unit 8-1 determines whether or not the own device (in this example, the computer 2-1) is a computer belonging to a group. If it is determined that the own device is a computer belonging to the group, the shared encryption key g1 is decrypted using the key information and the private key held by the own device (in this example, the private key Ap). . This decoding process will be described later. Here, the key information analysis unit 8-1 has been described as an example, but the same applies to the key information analysis units 8-2 to 8-4 of other computers.

  FIG. 3 is a block diagram illustrating a configuration example of a computer (information processing apparatus). Here, the computer 2-1 will be described as an example, but the same applies to other computers. The computer 2-1 includes a control unit 41, a storage device 42, and a network interface unit 43. The control unit 41 operates as a key information sharing unit and a key information analysis unit in accordance with the information processing program stored in the storage device 42. That is, the key information sharing unit and the key information analysis unit illustrated in FIG. 1 are realized by the control unit 41 that operates according to the information processing program. In addition to the information processing program, the storage device 42 stores its own private key and the public key of the group management server 5. The network interface unit 43 is an interface with the network 1.

Next, the operation will be described.
FIG. 4 is a flowchart showing an example of processing progress when the shared encryption key is provided from the group management server to the computer. First, the group management server 5 selects each computer belonging to the group based on the input from the group manager (step S1). In other words, each computer belonging to the group is stored in a state where it can be distinguished from other computers. For example, in step S1, the peer ID of each computer belonging to the group is input from the group manager via the input unit 34. And the control part 31 of the group management server 5 should just make each computer which belongs to a group distinguish from another computer by memorize | storing each input peer ID in the memory | storage device 32. FIG. Alternatively, each peer may apply by sending its public key certificate to the group management server and store the peer ID in the certificate so that it can be distinguished from other computers. Here, in step S1, the peer ID of each computer belonging to the group is input via the input unit 34, and the control unit 31 stores (registers) the peer ID in the storage device 32. In the following description, each computer belonging to a group (each computer forming a group) may be referred to as a group member.

  Subsequently, the control unit 31 of the group management server 5 acquires the public key of the group member (step S2). For example, in step S1, it is assumed that the computers 2-1 to 2-4 are selected as group members of the same group based on the input from the group manager. At this time, the control unit 31 of the group management server 5 requests the public key Au, Bu, Cu, Du of each group member from the authentication server 4, and the public keys Au, Bu, Cu stored in advance in the authentication server 4. , Du may be received from the authentication server 4. Alternatively, each computer 2-1 to 2-4 stores the public key of its own device in advance in the storage device 42 (see FIG. 3), and the control unit 31 of the group management server 5 causes each computer 2-1 to 2 to store the public key. -4 may be requested of the public key, and the public key may be received from each of the computers 2-1 to 2-4. The control unit 31 of the group management server 5 stores each public key Au, Bu, Cu, Du received in step S2 in the storage device 32 in association with the peer ID of each computer.

  For example, if two computers, computers 2-2 and 2-4, are selected as group members in step S1, the control unit 31 assigns the two public keys to the group management server 5 in step S2. (Or from computers 2-2 and 2-4).

  Next, the control unit 31 of the group management server 5 generates key information including the peer ID of the group member and data obtained by encrypting the shared encryption key g1 (step S3). As already described, as a mode for generating key information, there are a mode in which a shared encryption key is encrypted with a key of each computer belonging to the group, and a mode in which the shared encryption key is encrypted with KEK. Here, a case where the shared encryption key is encrypted with KEK will be described as an example. FIG. 5 is an explanatory diagram showing an example of key information. FIG. 5 shows an example of key information in the case where the two computers 2-2 and 2-4 are group members. Here, the peer IDs of the computers 2-1 and 2-4 are “2” and “4”, respectively.

  FIG. 5 shows an example in which key information is described in XML (extensible markup language). In the example shown in FIG. 5, each version information indicating the version of the key information provided (transmitted) to the computer is described between the key tags. Individual version information is described between the version tags. The key information shown in FIG. 5 shows only version information when a group is first formed, and information “1” is attached to the version information (the second row shown in FIG. 5). See description.) Thereafter, when the group member is changed, that is, when a computer is added to the group and the peer ID of the computer is additionally registered (added storage), or the peer ID is registered (stored) as a computer belonging to the group. When the computer is excluded from the group and its peer ID is deleted, the control unit 31 updates the shared encryption key and updates the second and subsequent version information (<version = 2> ... </ version>, (Information described with version tag such as <version = 3> ... </ version>) is added. In each version information, a numerical value (“1”, “2”, “3”,...) Indicating the order of the version information is described together with the version tag. When the shared encryption key is updated, the control unit 31 additionally writes version information including a description of data obtained by encrypting the updated shared encryption key. Here, the case where the shared encryption key is updated when the group member is changed is shown, but as already described, the update timing of the shared encryption key is not particularly limited.

  When the process proceeds to step S3 for the first time, the control unit 31 describes only the first version information (<version = 1> ... </ version>) as shown in FIG. With the group member change, the operation after step S1 is started again, and when the process proceeds to step S3 again, version information is added.

  In the version information, information described together with the enc_gk tag is data obtained by encrypting the shared encryption key provided to the computer by the group management server 5 with KEK. When generating the key information, the control unit 31 encrypts the shared encryption key g1 provided to the computer with KEK, and describes the encrypted data together with the enc_gk tag in the version information. However, normally, data obtained as a result of encrypting the shared encryption key with KEK cannot be expressed as a character code. Therefore, the control unit 31 converts (encodes) the data obtained as a result of encrypting the shared encryption key with KEK, for example, with BASE64, and describes the converted data together with the enc_gk tag.

  In the version information, information described together with the kek tag is a combination of each group member's peer ID and data obtained by encrypting KEK. FIG. 5 shows an example of key information when the two computers 2-2 and 2-4 are group members. Therefore, the peer ID “2” of the computer 2-2 and KEK are encrypted. A combination with the data obtained by encrypting KEK and a peer ID “4” of the computer 2-4 is described. Further, encryption of KEK is performed using a public key specified from the peer ID (more specifically, a public key of a computer specified from the peer ID). That is, the description on the right side of the peer ID “2” illustrated in FIG. 5 indicates data obtained by encrypting KEK with the public key Bu of the computer 2-2 specified by the peer ID “2”. The description on the right side of the peer ID “4” illustrated in FIG. 5 indicates data obtained by encrypting KEK with the public key Du of the computer 2-4 specified by the peer ID “4”.

  When generating the key information, the control unit 31 encrypts the KEK using the public key of the computer specified from the peer ID stored in step S1 as the peer ID of the group member. However, data obtained by encrypting KEK cannot usually be expressed as a character code. Therefore, the control unit 31 converts (encodes) the data obtained as a result of encrypting KEK with the public key using, for example, BASE64. Then, the combination of the converted data and the peer ID used for specifying the public key may be described together with the kek tag. The control unit 31 performs the same processing for each computer forming the group, and may describe the combination of the peer ID and the data after conversion of KEK together with the kek tag.

  Between the sign tags, signature data for the information described in the key tag (description from <key> to </ key>) is described. In the example shown in FIG. 5, the signature data for the description from the first line to the sixth line is described. For example, the control unit 31 may create signature data as follows. The control unit 31 performs digest calculation on information described by the key tag (description from <key> to </ key>) using, for example, a hash function such as SHA-1, and the result is obtained. The digest value (hash value) is encrypted with the secret key αp. The data obtained by this encryption is converted (encoded) using, for example, BASE64, and the conversion result is described between the sign tags as signature data.

  However, the signature data creation operation described above is merely an example, and the control unit 31 may create the signature data by another method. For example, a standard XML signature method may be applied as a signature method. Also, XML normalization may be performed when a signature is given.

  The control unit 31 creates key information as described above (step S3).

  In the above description, the case where the shared encryption key is encrypted with KEK to create key information has been described. Next, a case will be described in which the shared encryption key is encrypted with the keys of the computers belonging to the group in the key information creation process (step S3). In this case, KEK is not used. Further, information obtained by encrypting the enk_gk tag and the shared encryption key with KEK (information corresponding to the third line in the example shown in FIG. 5) is not included in the key information. A combination of a peer ID and data obtained by encrypting a shared encryption key with a public key specified by the peer ID is described together with a kek tag.

  When the shared encryption key is encrypted with the key of each computer belonging to the group, the control unit 31 uses the public key of the computer specified from the peer ID stored in step S1 as the peer ID of the group member to generate the shared encryption key. It is only necessary to describe the combination of the encrypted data and the peer ID used for specifying the public key together with the kek tag. Note that data obtained by encrypting a shared encryption key with a public key cannot usually be expressed as a character code. Therefore, the control unit 31 converts (encodes) the data obtained by encrypting the shared encryption key with the public key using, for example, BASE64. And the control part 31 should just describe the combination of the data after the conversion, and peer ID used for identification of a public key with a kek tag. The control unit 31 performs the same processing for each computer forming the group, and may describe the combination of the peer ID and the data after conversion of the shared encryption key together with the kek tag. Further, the control unit 31 does not describe the information of the enk_gk tag in the key information. Other processes are the same as when the shared encryption key is encrypted with KEK.

  After the key information generation process (step S3) by the group management server 5, all the computers (all computers connected to the network 1 regardless of whether they are group members or not) are generated in step S3. The shared key information is shared (step S4). In step S4, first, the control unit 31 of the group management server 5 transmits the key information generated in step S3 to any one of the computers connected to the network 1. This computer may be a computer forming a group or another computer. At this time, it is possible to search for the latest key information by sending an ID that identifies the group and the version number of the group key as a key information file index. desirable. The control unit 31 of the group management server 5 transmits a response request to each computer (computers 2-1 to 2-4 in the example shown in FIG. 1) via the network 1, and the computer that has responded is sent to the current network. What is necessary is just to determine with the computer connected to 1. Then, the key information may be transmitted to any one of the computers determined to be connected to the network 1. Note that the determination method of the computer connected to the network 1 described here is an exemplification, and the computer connected to the network 1 may be determined by another method. One computer that has received the key information from the group management server 5 shares the key information with all computers (all computers connected to the network 1).

  For example, the key information sharing unit (more specifically, the control unit 41 shown in FIG. 3) of the computer that has received the key information from the group management server 5 excludes each computer (the own device) connected to the network 1. In addition, the key information may be broadcasted with respect to whether or not it is a group member. In addition, for example, the key information sharing unit of the computer that has received the key information from the group management server 5 creates a copy of the received key information and transmits the copy to the other computer. The key information sharing unit of the computer that has received the key information copy) may repeat the operation of creating a copy of the key information and transmitting the copy to another computer. That is, each computer (regardless of whether or not it is a group member) connected to the network 1 may transfer key information in a bucket relay manner, and each computer may hold the key information. Further, for example, key information may be shared with the key information sharing unit of each other computer using a file sharing system such as KaZaA or Gnutella. When using such a file sharing system, all peers check whether there is new or updated key information when connecting to the network or when creating or obtaining encrypted data controlled to access a specific group. As a result of the search, all the updated or newly created key information is downloaded. Further, the key information may be shared with the key information sharing unit of each other computer by DHT (Distributed Hash Table). When using DHT, all peers check whether the data corresponding to the hash value of the file index of the key information exists at the time of network connection or creation or acquisition of encrypted data controlled to access a specific group To confirm whether there is new or updated key information. As a result of the search, all the updated or newly created key information is downloaded.

  After step S4, the key information analysis unit (more specifically, the control unit 41 shown in FIG. 3) of each computer sharing the file verifies the signature of the key information (step S5). That is, it is verified that the key information has not been tampered with from the state when it was generated by the group management server 5 in step S3. For example, the group management server 5 calculates a digest value from the information described by the key tag using the hash function as described above, encrypts the digest value with the secret key αp, and converts (encodes) the encrypted data. ) Is assumed to be signature data. This conversion is assumed to be conversion based on BASE64. In the case of this example, the key information analysis unit of each computer converts (decodes) the signature data of the key information, returns it to the state before conversion by BASE64, and converts the decoded data to the public key αu (the private key αp). Decrypt with public key). Further, the key information analysis unit of each computer calculates the digest value from the information described by the key tag included in the key information, using the same hash function as the hash function used by the group management server 5. If the digest value obtained by this calculation is the same as the result decrypted with the public key αu, the key information analysis unit of each computer determines that the key information has not been tampered with.

  Subsequently, the key information analysis unit (more specifically, the control unit 41 shown in FIG. 3) of each computer determines whether or not the own device is a group member (step S6). In step S6, the key information analysis unit of each computer determines that the own device is a group member if the peer ID of the own device is included in the peer ID described with the kek tag in the key information. To do. Further, if the peer ID of the own device is not included in the peer ID described with the kek tag in the key information, it is determined that the own device is not a group member. If it is determined in step S6 that the device is a group member, the process proceeds to step S7.

  In step S7, the key information analysis unit decrypts the shared encryption key. The processing in step S7 will be described separately for the case where the shared encryption key is encrypted with KEK in step S3 and the case where the shared encryption key is encrypted with the keys of the computers belonging to the group. First, the process of step S7 when the shared encryption key is encrypted with KEK in step S3 will be described.

  When the process proceeds to step S7, the key information analysis unit decrypts the data combined with the peer ID of the own device (here, the encrypted data of KEK) with the secret key of the own device. At this time, if the data combined with the peer ID is data converted (encoded) by BASE64 or the like, the data is decoded and returned to the state before conversion by BASE64 or the like. Then, the data is decrypted with its own secret key. As a result, the key information analysis unit can obtain KEK. Subsequently, the key information analysis unit uses the KEK to decrypt the encrypted data of the shared encryption key g1 (in the example illustrated in FIG. 5, data described together with the enc_gk tag) to obtain a shared encryption key. Also in this case, if the data described with the enc_gk tag is data that has been converted (encoded) with BASE64, etc., the data is decoded and returned to the state before conversion with BASE64, etc. Is decrypted by KEK to obtain a shared encryption key.

  The operation of step S7 will be described using the computer 2-2 as an example. In addition, it is assumed that the shared encryption key and the KEK encrypted data described in the key information are encoded using BASE64. When the process proceeds to step S7, the key information analysis unit 8-2 converts (decodes) the data combined with the peer ID “2” of the own apparatus (computer 2-2) into the data before conversion by BASE64. return. Then, the data is decrypted with the private key Bp of the own device to obtain KEK. In addition, the key information analysis unit 8-2 converts (decodes) the encrypted data of the shared encryption key and returns the data to the data before conversion by BASE64. Then, the data is decrypted with KEK to obtain a shared encryption key. Individually, the computer 2-2 is taken as an example, but the same applies to other computers.

  Next, the process of step S7 when the shared encryption key is encrypted with the keys of the computers belonging to the group in step S3 will be described. When the process proceeds to step S7, the key information analysis unit decrypts the data combined with the peer ID of the own device (here, the encrypted data of the shared encryption key) with the secret key of the own device. At this time, if the data combined with the peer ID is data converted (encoded) by BASE64 or the like, the data is decoded and returned to the state before conversion by BASE64 or the like. Then, the data is decrypted with its own secret key. As a result, the key information analysis unit obtains a shared encryption key.

  After the encrypted data is converted into the shared encryption key by the decryption process in step S7, the process ends. After that, when performing encrypted communication between computers connected to the network 1 among group members, the communication data is encrypted and transmitted with the shared encryption key, and the received data is decrypted with the shared encryption key. That's fine.

  If it is determined in step S6 that the device is not a group member, the process is terminated. For example, it is assumed that the computer 2-1 (the peer ID is “1”) shares the key information illustrated in FIG. 5 with another computer. In this case, even if the computer 2-1 verifies in step S5 and confirms that the key information has not been tampered with, in step S6 it determines that the own apparatus is not a group member. This is because only the peer IDs of the computers 2-2 and 2-4 are described in the key information illustrated in FIG. 5, and the peer ID of the computer 2-1 is not described. In this way, the computer that has determined that the own device is not a group member ends the process without proceeding to step S7.

  Through the processing illustrated in FIG. 4 described above, all computers connected to the network 1 share key information regardless of whether or not they belong to a group. After all the computers connected to the network 1 share the key information, the cryptographic communication system maintains a state where at least one computer connected to the network 1 can hold the key information. For example, when a computer disconnects from the network 1, the computer may transmit key information to another computer connected to the network 1 and then disconnect from the network 1.

  When a computer that is not connected to the network 1 is connected to the network 1, the computer receives key information from the computer that holds the key information. For example, when a computer that is not connected to the network 1 is connected to the network, the computer requests a key information from a computer that has been connected to the network 1 before, and a computer that holds the key information. Key information may be transmitted in response to the request. As a result, the computers connected to the network 1 can receive the key information, and even when the number of computers connected to the network 1 increases, the computer can share the key information. When a computer that is not connected to the network 1 is connected to the network 1, the computer may share key information with a computer that is already connected to the network 1 by, for example, DHT. In addition, a computer connected to the network 1 and sharing key information with another computer performs the processing after step S5 (see FIG. 4), and if the computer itself is a group member, it may decrypt the shared encryption key. .

  Also, some computers may relay the group management server 5 with other computers. In this case, a computer that performs relay (hereinafter referred to as a relay device) stores key information shared with other computers. When another computer that is not a relay device (hereinafter referred to as a non-relay device) changes from being not connected to the network 1 to being connected to the network 1, it requests key information from the relay device. May be. In response to this request, the relay device transmits key information to the non-relay device, and the non-relay device receives the key information. Therefore, each non-relay device that is connected to the network 1 from a state not connected to the network 1 does not communicate with the group management server 5 to obtain key information. The relay device plays a role as a cache. Since each non-relay device does not perform communication for obtaining key information with the group management server 5, it is not necessary to perform such communication relay of the relay device. Therefore, the load on the relay device can be suppressed. Each computer may be arranged as a node of a tree-structured network, and a plurality of relay devices may be arranged.

  In the above description, the device that generates the key information is shown as the group management server 5. The computer having the key information sharing unit and the key information analysis unit similar to the computers 2-1 to 2-4 is not the server that is always turned on and is always connected to the network 1, but the group management server 5 described above. The key information may be generated in the same manner as described above and the same processing as that of the group management server 5 may be performed. At this time, in step S3 of FIG. 4, in order to ensure the uniqueness of the common encryption key g1 to be issued, the peer ID of the computer having the group server function for which the uniqueness is guaranteed, and the computer generated by itself The key may be generated by using a key generator that generates a key by using an ID for distinguishing the group, a version of the group key, and a random number generated by the computer as a seed. For example, as the key generator, it is possible to use a process in which all these data are bit-concatenated and a hash calculation is performed on the data. Further, since the computer having the group management server function (the computer that generates the key information) is turned off or the computer that generates the key information may not be connected to the network 1, the following Processing is required. First, when a computer that is not connected to the network 1 is connected to the network 1, the computer may request key information from any computer connected to the network 1. Then, the computer that has received the request for the key information may transmit the shared key information as it is in response to the request. As a result, the computer that has changed from being not connected to the network 1 to being connected to the network 1 receives the key information. If the computer receives the key information, it performs the processing from step S5 onward, and if it determines that the device is a group member (Yes in step S6), decrypts the shared encryption key (step S7). Should be executed. If it is determined that the own apparatus is not a group member (No in step S6), the process may be terminated without moving to step S7.

Next, the effect of this embodiment will be described.
In the present embodiment, the group management server 5 transmits key information to any one of the computers connected to the network 1, and the computer shares the key information with other computers. Therefore, even when the computers forming the group are asynchronously connected to the network, the computers connected in ad hoc can share the shared encryption key (group key).

  The key information includes encrypted data of the shared encryption key encrypted with KEK and encrypted data of KEK encrypted with the public key of the computer belonging to the group. Therefore, a computer that does not have a secret key that is paired with the public key cannot decrypt the shared encryption key. Accordingly, it is possible to perform secure encrypted communication using the shared encryption key only between group members. In the case where the shared encryption key is encrypted with the public key of each computer belonging to the group without using KEK in step S3, the encrypted data of the shared encryption key encrypted with the public key of the computer belonging to the group is included in the key information. Is included. Also in this case, since a computer that does not have a secret key that is paired with the public key cannot decrypt the shared encryption key, secure encrypted communication can be realized.

  When the group management server 5 transmits key information, the key information is transmitted to one computer, and the computer shares the key information with other computers. The group management server 5 does not need to perform processing after transmitting the key information. Therefore, even if the number of computers forming the group increases, the processing load of the group management server 5 does not increase so much. That is, an increase in the load on the group management server due to an increase in the number of computers can be suppressed.

  Further, when the group management server 5 transmits the key information, it only needs to transmit the key information to one computer, and the group management server 5 does not need to communicate with each group member individually. Therefore, even when a computer that relays communication between each computer and the group management server 5 is provided, the computer serves as a cache, stores key information, and requests for key information from individual computers. Since only the stored key information is transmitted, there is no need to relay communication between each computer and the group management server 5. Therefore, even when a computer for relaying communication is provided, an increase in processing load on the computer can be suppressed. For example, even when the present invention is applied to a sensor node that relays communication between a terminal sensor node and a server, an increase in the processing load of the sensor node that relays communication can be suppressed.

  Further, since the signature information is added to the key information, the group management server 5 can verify whether or not unauthorized tampering has been performed even if the key information is distributed to an unreliable computer. .

  In the first embodiment, the key information generation unit and the key information transmission unit are realized by the control unit 31 of the group management server 5. The key information sharing means and the decryption means are realized by the control unit 41 of the computer. The public key storage means is realized by the storage device 32 of the group management server 5. The secret key storage means is realized by the storage device 42 of the computer.

Embodiment 2. FIG.
The configuration of the second embodiment of the present invention is the same as that of the first embodiment. However, in this embodiment, a group ID (identification information for identifying each group) is determined in advance for each group. Each computer belonging to the group stores the group ID of the group to which the computer belongs in the storage device 42 (see FIG. 3).

  Further, each computer included in the cryptographic communication system according to the second embodiment shares a shared cryptographic key (group key) as in the first embodiment. The operation in which each computer shares the shared encryption key is the same as in the first embodiment. However, if the key information analysis unit (control unit 41 shown in FIG. 3) of each computer determines that the own device is a group member in step S6 (see FIG. 4), the key information (step shown in FIG. 4). The key information shared in S4) and the group ID are stored in the storage device 42 in association with each other.

  When the computer shares key information for each group, the processing after step S1 (see FIG. 4) may be performed for each group. In step S1, for each group, the peer IDs of computers belonging to the group may be registered (stored in the storage device 32 shown in FIG. 2).

  Further, in the present embodiment, when a computer that is not connected to the network 1 is connected to the network 1, the computer obtains key information in an operation of step S13 described later, thereby obtaining a key with another computer. Share information.

  Hereinafter, encrypted communication performed by each computer included in the cryptographic communication system according to the second embodiment will be described. FIG. 6 is an explanatory diagram illustrating an example of a format of communication data transmitted and received when each computer performs encrypted communication. As shown in FIG. 6, communication data transmitted and received by encrypted communication includes flag, encrypted data, group ID, key version, and Key_Location.

  The flag is data describing attributes of communication data. The flag includes the number of bytes and the start position of the encrypted data, the number of bytes and the start position of the group ID, the number of bytes and the start position of the key version, and the number of bytes and the start position of Key_Location as the header of the communication data. May be.

  The encrypted data is data obtained by encrypting communication contents (transmission data) with a shared encryption key (group key).

  The group ID is a group ID of a group to which each computer that transmits and receives communication data belongs.

  The key version is version information included in the key information, and is a version information number obtained by decrypting the shared encryption key used for encrypting the communication content. In the case of the key information illustrated in FIG. 5, a numerical value described with the version tag is included in the communication data as the key version.

  Key_Location is information for the computer to obtain key information. For example, the URI (Uniform Resource Indicator) of the key information may be Key_Location. In this case, for example, when the group management server 5 generates the key information, the URI information is included in the key information, and the group management server 5 itself holds the key information and accesses the key information by the URI. You should make it possible. The URI may be a URI that designates a device other than the group management server 5, and the group management server 5 may transmit key information to the device and store it. Alternatively, a computer that transmits communication data may determine a URI, and the computer may transmit and store key information to a device specified by the URI. Further, when each computer that transmits and receives communication data shares key information using a peer-to-peer file sharing system such as DHT (Distributed Hash Table), the hash value of the key information is used as Key_Location. Also good.

  When the encrypted data obtained by encrypting the communication contents with the shared encryption key is created, the computer control unit 41 adds the flag, group ID, key version, Key_Location to the encrypted data according to the format illustrated in FIG. Is added to generate communication data and transmit the communication data to the destination computer.

Next, the operation of the computer that has received the communication data will be described.
FIG. 7 is a flowchart illustrating an example of processing progress of a computer that has received communication data. As already described, in this embodiment, when the computer determines that the own device is a group member in step S6 (see FIG. 4), the storage device 42 associates the key information with the group ID. To remember. The control unit 41 of the computer that has received the communication data determines whether or not the key information is stored in association with the group ID to which the computer itself belongs, and stores the key information associated with the group ID. If it is determined, it is determined whether or not a group key (shared encryption key) decrypted from the version information specified by the “key version (see FIG. 6)” included in the communication data is held (step). S11).

  For example, it is assumed that a computer that has received communication data stores key information associated with a group ID to which the computer belongs. Further, it is assumed that the “key version” included in the communication data is “1”. In that case, the control unit 41 holds the group key decrypted from the version information specified by “1”, that is, the first version information (description from <version = 1> to </ version>) in the key information. It is determined whether or not.

  When it is determined that the group key decrypted from the version information specified by the “key version” included in the communication data is held (Yes in step S11), the control unit 41 receives the group key using the group key. The encrypted data (see FIG. 6) included in the data is decrypted (step S12), and the process ends. As a result, the control unit 41 can obtain the communication content encrypted and transmitted.

  In step S11, the computer control unit 41 determines that the group key decrypted from the version information specified by the “key version” included in the communication data is not held, or the computer itself belongs. When it is determined that the key information is not stored in association with the group ID (No in step S11), the process proceeds to step S13. In step S13, the control unit 41 of the computer acquires key information based on “Key_Location” included in the received communication data (step S13). For example, when the URI is included as “Key_Location”, the control unit 41 accesses the key information specified by the URI and receives the key information.

  After step S13, the control unit 41 refers to the “key version” included in the received communication data (step S14). Subsequently, the control unit 41 includes the peer ID of its own device in the version information specified by the “key version” referred to in step S14 among the version information included in the key information acquired in step S13. It is determined whether or not there is (step S15).

  When it is determined in step S15 that the peer ID of the own device is not included (No in step S15), the processing is ended as it is.

  When it is determined in step S15 that the peer ID of the own device is included (Yes in step S15), the control unit 41 uses the “key version” referred to in step S14 among the version information included in the key information. The shared encryption key (group key) is decrypted from the specified version information (step S16). The process of step S16 is the same as that of step S7 (see FIG. 4). The process of step S16 will be described separately for the case where the shared encryption key is encrypted with KEK when the key information is created and the case where the shared encryption key is encrypted with the key of each computer belonging to the group.

  When the shared encryption key is encrypted with KEK when the key information is created, the control unit 41 uses the data combined with the peer ID of its own device (here, KEK) in the version information specified by the “key version”. Data) is decrypted with the private key of the device itself. At this time, if the data combined with the peer ID is data converted (encoded) by BASE64 or the like, the data is decoded and returned to the state before conversion by BASE64 or the like. Then, the data is decrypted with its own secret key. As a result, the control unit 41 can obtain KEK. Subsequently, the control unit 41 uses the KEK to decrypt the encrypted data of the shared encryption key (in the example illustrated in FIG. 5, data described together with the enc_gk tag) to obtain a shared encryption key.

  When the shared encryption key is encrypted with the keys of the computers belonging to the group at the time of creating the key information, the control unit 41 uses the peer ID of its own device in the version information specified by the “key version”. The combined data (here, the encrypted data of the shared encryption key) is decrypted with the private key of the own device. At this time, if the data combined with the peer ID is data converted (encoded) by BASE64 or the like, the data is decoded and returned to the state before conversion by BASE64 or the like. Then, the data is decrypted with its own secret key. As a result, the control unit 41 obtains a shared encryption key.

  Subsequently, the control unit 41 uses the shared encryption key (group key) to decrypt the encrypted data (see FIG. 6) included in the received data (step S17), and ends the process. As a result, the control unit 41 can obtain the communication content encrypted and transmitted.

Next, the effect of this embodiment will be described.
In the present embodiment, encrypted data is transmitted / received together with the group ID, key version, and Key_Location, and the received computer stores the key information associated with the group ID with reference to the group ID and key version. Whether or not the group key decrypted from the version information specified by the key version is held is determined. If the group key is not held, key information is acquired using Key_Location, and the group key corresponding to the version of the key in the communication data is decrypted. Therefore, even when all the computers belonging to the authentication server, group management server, and group are not connected to the network 1 when the group is formed or the group member connected to the network is changed, the group key is shared. And can make changes.

  In the second embodiment, the communication data transmission unit and the determination unit are realized by the control unit 42 of the computer. Key_Location corresponds to access information.

Embodiment 3 FIG.
FIG. 8 is a block diagram showing a third embodiment of the cryptographic communication system according to the present invention. The same components as those in the first embodiment are denoted by the same reference numerals as those in FIG. 1, and detailed description thereof is omitted. In the third embodiment, the cryptographic communication system includes a group management server 5 and computers 2-1 to 2-4. Although FIG. 8 shows four computers, the number of computers is not limited to four. In the third embodiment, the mode of the key used when generating the key information is different from that in the first embodiment.

  In the first embodiment, each of the computers 2-1 to 2-4 holds a secret key Ap, Bp, Cp, Dp that is determined to be held only by its own device. The key information is generated using the public keys Au, Bu, Cu, Du that are paired with the secret key. In the first embodiment, the group management server 5 holds a secret key αp that is determined to be held only by the group management server 5, and each computer has a public key αu paired with the secret key αp. (See FIG. 1)

  In contrast, in this embodiment, a common key is used instead of using a combination of a secret key and a public key. The computer 2-1 holds a secret key (common key) A as a secret key of the computer 2-1, and the group management server 5 secretly shares the secret key (common key) A with the computer 2-1. To do. Similarly, the computer 2-2 holds a secret key (common key) B as a secret key of the computer 2-2, and the group management server 5 holds the secret key (common key) B with the computer 2-2. Share secretly. The computer 2-3 holds a secret key (common key) C as a secret key of the computer 2-3, and the group management server 5 secretly shares the secret key (common key) C with the computer 2-3. To do. The computer 2-4 holds a secret key (common key) D as a secret key of the computer 2-4, and the group management server 5 secretly shares the secret key (common key) D with the computer 2-4. To do. That is, the computer 2-1 and the group management server 5 hold the secret key (common key) A. Further, the computer 2-2 and the group management server 5 hold a secret key (common key) B. Further, the computer 2-3 and the group management server 5 hold a secret key (common key) C. Further, the computer 2-4 and the group management server 5 hold a secret key (common key) D.

  The group management server 5 holds a secret key (common key) α as a secret key of the group management server 5, and each of the computers 2-1 to 2-4 has a secret key (common) with the group management server 5. Key) α is shared secretly. That is, the group management server 5 and the computers 2-1 to 2-4 hold the secret key (common key) α.

  The group management server 5 holds the shared encryption key g1 as in the first embodiment. When the shared encryption key is encrypted with KEK when creating the key information, the group management server 5 also holds KEK.

  In this embodiment, it is assumed that the group management server 5 secretly shares a secret key (common key) with each of the computers 2-1 to 2-4 in advance. As an aspect of secretly sharing the common key in advance as described above, for example, a management entity of the group management server (for example, an organization such as CA or the like) may generate a secret key shared secretly and The common key is stored in a tamperable memory (for example, an IC card), the memory is sent to a subject (person) who manages the computer (for example, mail), and the person who receives the memory directly sends it to the computer. There are embodiments such as incorporation. The aspect shown here is an example, and the common key may be secretly shared in advance by another aspect. Since the common key is secretly shared in advance, the common keys A, B, C, and D are not received from other devices via the network 1. In the present embodiment, in step S1 (see FIG. 4), for example, for each secret key (common key) stored in advance, the computer corresponding to the common key from the group administrator via the input unit 34. The peer ID is entered. The control unit 31 may store (register) the input peer ID in the storage device 32 in association with the common key stored in advance. Then, after the end of the process, the process after step S3 may be performed without performing step S2.

  In this embodiment, when key information is generated, key information is generated using a common key instead of a public key. As already described, as a mode for generating key information, there are a mode in which a shared encryption key is encrypted with a key of each computer belonging to the group, and a mode in which the shared encryption key is encrypted with KEK. Each of these two modes will be described.

  In this embodiment, when the key information is created by encrypting the shared encryption key with KEK, in step S3, the control unit 31 of the group management server 5 encrypts KEK and describes it with the kek tag in combination with the peer ID. At this time, a common key is used for encryption of KEK. Further, when generating the signature data, a common key α secretly shared with each computer is used. The other points of step S3 are the same as in the case of encrypting the shared encryption key with KEK in the first embodiment.

  For example, it is assumed that computers 2-2 and 2-3 are selected in step S1 as computers forming a group. Assume that the peer IDs of the computers 2-2 and 2-3 are “2” and “4”, respectively. When generating the key information similar to the key information illustrated in FIG. 5 in step S3, the control unit 31 of the group management server 5 encrypts the shared encryption key g1 with KEK as in the first embodiment. Convert the encrypted data with BASE64 etc. and describe the conversion result with the enc_gk tag. Further, the control unit 31 encrypts KEK using the secret key (common key) B of the computer 2-2 specified by the peer ID “2”. Then, the encrypted data is converted by BASE64 or the like, and the conversion result is described in combination with the peer ID “2”. Similarly, the control unit 31 encrypts the KEK using the secret key (common key) D of the computer 2-4 specified by the peer ID “4”. Then, the encrypted data is converted by BASE64 or the like, and the conversion result is described in combination with the peer ID “4”. These descriptions are described together with the kek tag. In addition, the control unit 31 performs digest calculation on the information described by the key tag (description from <key> to </ key>) as in the first embodiment, and the digest obtained as a result The value is encrypted with the secret key (common key) α. Data obtained by this encryption may be converted using, for example, BASE64 and described as signature data between the sign tags.

  In this embodiment, when the shared encryption key is encrypted with the keys of the computers belonging to the group, in step S3, the control unit 31 of the group management server 5 encrypts the shared encryption key and combines it with the peer ID. When writing together with the kek tag, the shared encryption key is encrypted using the secret key (common key) of each computer belonging to the group. Further, when generating the signature data, a common key α secretly shared with each computer is used. Other points are the same as in the first embodiment when the shared encryption key is encrypted with the keys of the computers belonging to the group.

  In the verification process of step S5 (see FIG. 4), the key information analysis unit (more specifically, the control unit 41 shown in FIG. 3) of each computer converts (decodes) the signature data of the key information and then decodes it. The subsequent data may be decrypted with the secret key (common key) α of the group management server 5. Other points in step S5 are the same as those in the first embodiment.

  The process of step S7 will be described separately for the case where the shared encryption key is encrypted with KEK when the key information is created and the case where the shared encryption key is encrypted with the key of each computer belonging to the group.

  When the shared encryption key is encrypted with KEK when creating the key information, in the decryption process of step S7 (see FIG. 4), the key information analysis unit (control unit 41) of the computer When the combined data (here, the encrypted data of KEK) is decrypted, it is decrypted with the private key (common key) of the device itself. The other points in step S7 are the same as in the case of encrypting the shared encryption key with KEK in the first embodiment. For example, when the key information analysis unit 8-2 of the computer 2-2 decrypts data combined with the peer ID “2” of its own device, the data is converted (decoded), and the decoded data is converted into the common key. Decoding with B is sufficient to obtain KEK.

  If the shared encryption key is encrypted with the keys of the computers belonging to the group at the time of creating the key information, the key information analysis unit (control unit 41) of the computer uses the peer of its own device in the decryption process of step S7. When decrypting the data combined with the ID (in this case, the encrypted data of the shared encryption key), the data is decrypted with the private key (common key) of the device itself. The other points are the same as in the first embodiment when the shared encryption key is encrypted with the keys of the computers belonging to the group.

  Further, the processes in steps S4 and S6 are the same as those in the first embodiment.

  In addition, when performing encrypted communication between computers connected to the network 1 among group members, the communication data is encrypted and transmitted with the shared encryption key, and the received data is decrypted with the shared encryption key. That's fine. For example, communication data is transmitted and received in the same manner as in the second embodiment.

  In the third embodiment, the same effect as in the first embodiment can be obtained. Furthermore, in the third embodiment, instead of using a combination of a secret key and a public key, the group management server 5 and the computer each hold a common key, and KEK encryption and decryption are performed using the common key. Therefore, the processing capacity of the group management server 5 and each computer may be lower than that of the first embodiment. As a result, for example, the cryptographic communication system of the present embodiment can be applied even to a sensor network with low processing capability.

  In the third embodiment, the key information generation unit and the key information transmission unit are realized by the control unit 31 of the group management server 5. The key information sharing means and the decryption means are realized by the control unit 41 of the computer. The common key storage means is realized by the storage device 32 of the group management server 5. The own device common key storage means is realized by the storage device 42 of the computer.

Embodiment 4 FIG.
FIG. 9 is a block diagram showing a fourth embodiment of the cryptographic communication system according to the present invention. The same components as those in the first embodiment are denoted by the same reference numerals as those in FIG. 1, and detailed description thereof is omitted. In the fourth embodiment, the cryptographic communication system includes a group management server 5 and computers 2-1 to 2-4. Although FIG. 8 shows four computers, the number of computers is not limited to four. In the present embodiment, broadcast encryption is applied to the cryptographic communication system.

  Here, a case where each device holds a common key as described below will be described as an example. The computer 2-1 holds secret keys (common keys) K0, K1, and K3 as secret keys of the computer 2-1. The computer 2-2 holds secret keys (common keys) K0, K1, and K4 as secret keys of the computer 2-2. The computer 2-3 holds secret keys (common keys) K0, K2, and K5 as secret keys of the computer 2-3. The computer 2-4 holds secret keys (common keys) K0, K2, K6 as secret keys of the computer 2-4. The group management server 5 holds a secret key (common key) α as a secret key of the group management server 5.

  Further, the group management server 5 holds the computer secret keys K0 to K6. That is, the group management server 5 and the computers 2-1 to 2-4 share a secret key (common key) K0 in secret. The group management server 5 and the computers 2-1 and 2-2 share a secret key (common key) K1 in secret. The group management server 5 and the computers 2-3 and 2-4 secretly share a secret key (common key) K2. The group management server 5 and the computer 2-1 share a secret key (common key) K3 in secret. The group management server 5 and the computer 2-2 share a secret key (common key) K4 in secret. The group management server 5 and the computer 2-3 share a secret key (common key) K5 in secret. The group management server 5 and the computer 2-4 share a secret key (common key) K6 in secret.

  Each of the computers 2-1 to 2-4 holds the secret key α of the group management server 5. That is, the group management server 5 and the computers 2-1 to 2-4 share the secret key (common key) α in secret.

  The group management server 5 holds the shared encryption key g1 as in the first embodiment. When the shared encryption key is encrypted with KEK when creating the key information, the group management server 5 also holds KEK.

  Similar to the third embodiment, in the fourth embodiment, it is assumed that the group management server 5 secretly shares a secret key (common key) with each computer in advance. As an aspect of secretly sharing the common key in advance as described above, for example, a management entity of the group management server (for example, an organization such as CA or the like) may generate a secret key shared secretly and The common key is stored in a tamperable memory (for example, an IC card), the memory is sent to a subject (person) who manages the computer (for example, mail), and the person who receives the memory directly sends it to the computer. There are embodiments such as incorporation. The aspect shown here is an example, and the common key may be secretly shared in advance by another aspect. Since the common key is secretly shared in advance, the group management server 5 does not receive the common key via the network 1. Further, in the present embodiment, the storage device 32 of the group management server 5 stores in advance tree-structured data indicating the hierarchy of the computer common keys (K0 to K6 in this example). The tree structure data may be stored in the storage device 32 in advance, for example, through the input unit 34 and the control unit 31 inputs the tree structure data. The tree-structured data indicating the hierarchy of the common key has a common key (K0 in this example) shared by the computers 2-1 to 2-4 as a root, and each of the computers 2-1 to 2-4 has a root. This is data in which a common key (K3, K4, K5, K6 in this example) held without overlapping with other computers is used as a leaf. That is, the common key hierarchy is a hierarchy in which a common key shared by each computer is a root, and a common key stored by each computer without overlapping with other computers is a leaf. In the tree structure data, identification information (hereinafter referred to as a node number) is specified for each root, each node, and each leaf. In the tree structure data, it is determined which computer each leaf corresponds to.

  The generic name for roots, leaves, and nodes is referred to as a node.

  FIG. 10 is an explanatory diagram illustrating an example of tree-structured data indicating a common key hierarchy. In this example, the common key K0 shared by the computers 2-1 to 2-4 is the root. Further, the common key K3 held by the computer 2-1 and not held by other computers becomes a leaf. Similarly, K4, K5, and K6 are also leaves. The common key K1 held by the computers 2-1 and 2-2 and not held by the computers 2-3 and 2-4 is a node between the root (K0) and the leaves (K3 and K4). It becomes. Similarly, the common key K2 is a node between the root (K0) and the leaves (K5, K6). Also, as shown in FIG. 10, node numbers are defined for each root, each node, and each leaf. In this example, it is assumed that the node numbers of the nodes K0 to K6 are “0” to “6”. As shown in FIG. 10, in the tree-structured data, the leaves K3, K4, K5, and K6 are leaves corresponding to the computers 2-1, 2-2, 2-3, and 2-4, respectively. Information is included.

  The tree-structured data also describes a common key held by a computer that does not belong to a group. For example, the computers 2-2, 2-3, and 2-4 form a group, and the common keys K0 to K2 and K4 to K6 held by the three computers are stored in the group management server 5 in advance. Even in this case, the tree-structured data also describes the common key K3 held by the computer 2-1 that does not belong to the group.

  In the present embodiment, each of the computers 2-1 to 2-4 holds in advance information indicating the node number of the common key held by itself and which common key the node number corresponds to. To do. Each of the computers 2-1 to 2-4 receives, for example, information indicating a node number and a common key corresponding to the node number from the group manager, and stores the input information. What is necessary is just to memorize | store in the apparatus 42 (refer FIG. 3). For example, the computer 2-1 that holds the common keys K0, K1, and K3 stores the node numbers “0”, “1”, and “3”. Similarly, the computer 2-2 stores node numbers “0”, “1”, and “4”. The computer 2-3 stores the node numbers “0”, “2”, and “5”. The computer 2-4 stores the node numbers “0”, “2”, and “6”. Each computer also stores information indicating to which common key each node number corresponds.

  In the following description, a case where computers 2-2, 2-3, and 2-4 are selected as computers belonging to a group will be described as an example. In step S1, information indicating each computer belonging to the group (in this example, computers 2-2, 2-3, 2-4) is input, and the control unit 31 of the group management server 5 determines which of the tree structure data. It is specified whether the leaf is a leaf corresponding to each computer belonging to the group. In the present embodiment, after step S1, the process proceeds to step S3 without performing step S2.

  As already described, as a mode for generating key information, there are a mode in which a shared encryption key is encrypted with a key of each computer belonging to the group, and a mode in which the shared encryption key is encrypted with KEK. The key information creation processing (step S3) in each of these two modes will be described. In this embodiment, the key information includes node identification information (node number in this example) instead of the peer ID.

  In this embodiment, when the key information is created by encrypting the shared encryption key with KEK, in step S3, the control unit 31 of the group management server 5 uses the common key of the node closest to the root including the group members. Encrypt KEK. Note that “the node closest to the root including the group member” means “the node closest to the root among the common keys held by computers not belonging to the group”. Here, the node is not limited to a node but may be a leaf or a root. In addition, the control unit 31 encrypts KEK with such a node common key, and describes the encrypted data and the node number of the node together with the kek tag. In the first embodiment and the third embodiment, the combination of the peer ID and the encrypted KEK is described together with the kek tag. However, in this embodiment, the node number and the common key of the node number are described. This is different from the first embodiment and the third embodiment in that the combination with the KEK encrypted in the above is described together with the kek tag. The generation mode of the signature data is the same as that of the third embodiment. The other points in step S3 are the same as those in the case where the shared encryption key is encrypted with KEK in the first embodiment.

  FIG. 11 is an explanatory diagram showing an example of key information generated in this example. In this example, the computers 2-2, 2-3, and 2-4 belong to a group, and the computer 2-1 does not belong to a group. The control unit 31 refers to the data of the tree structure, and is “closest to the root among the nodes closest to the root including the group members”, that is, “excluding the common key held by the computer that does not belong to the group”. Determine "node". Referring to the tree structure shown in FIG. 10, regarding the computer 2-2, except for the common keys K 0, K 1 and K 3 held by the computer 2-1 not belonging to the group, the node closest to the root is K 4 (node number “ 4 ″). As for the computers 2-3 and 2-4, except for the common keys K0, K1, and K3 held by the computer 2-1 that does not belong to the group, the node closest to the root is K2 (node number “2”). Become. Accordingly, the control unit 31 encrypts KEK with the common key K2 corresponding to the node number “2”, converts the encrypted data with BASE64 or the like, and describes the conversion result in combination with the node number “2” ( (Refer to the description of the third line shown in FIG. 11.) Similarly, the control unit 31 encrypts KEK with the common key K4 corresponding to the node number “4”, converts the encrypted data with BASE64 or the like, and describes the conversion result in combination with the node number “4”. (See the description on the third line shown in FIG. 11). These descriptions are described together with the kek tag. Other points (encryption of the common encryption key, generation of signature data, and the like) are the same as those in the third embodiment, and thus description thereof is omitted.

  Further, in this embodiment, when the shared encryption key is encrypted with the keys of the computers belonging to the group, in step S3, the control unit 31 of the group management server 5 selects the node closest to the root including the group member. Encrypt the shared encryption key with the common key. That is, the control unit 31 encrypts the shared encryption key by using the common key of the node closest to the root among the common keys held by the computers not belonging to the group. Then, the control unit 31 describes the node number of the node and the data obtained by encrypting the shared encryption key together with the kek tag. The control unit 31 derives such a combination of the node number and the data obtained by encrypting the shared encryption key for each computer belonging to the group and describes it together with the kek tag. The generation mode of the signature data is the same as that of the third embodiment. The other points are the same as in the first embodiment when the shared encryption key is encrypted with the keys of the computers belonging to the group.

  Steps S4 and S5 are the same as those in the third embodiment.

  In the determination process of step S6 (see FIG. 4), the key information analysis unit (control unit 41) of the computer determines whether or not the node number that matches the node number stored in advance in the own device is described in the kek tag. Therefore, it is determined whether or not the own device is a group member. If the node number that matches the node number stored in advance in the own device is described in the kek tag, it is determined that the own device is a group member. If the node number that matches the node number stored in advance in the own device is not described in the kek tag, it is determined that the own device is not a group member. For example, in this example, the computer 2-1 stores node numbers “0”, “1”, and “3”. When the key information analysis unit 8-1 of the computer 2-1 refers to the key information illustrated in FIG. 11, none of the node numbers “0”, “1”, and “3” are described in the kek tag. Then, it is determined that the own device is not a group member (No in step S6), and the process is terminated.

  For example, the computer 2-2 stores the node numbers “0”, “1”, and “4”. When the key information illustrated in FIG. 11 is referred to, the key information analysis unit 8-2 of the computer 2-2 determines that the own device is a group member because the node number “4” is described (Step S1). (Yes in S6), the process proceeds to step S7. Similarly, the computer 2-3 stores node numbers “0”, “2”, and “5”. When referring to the key information illustrated in FIG. 11, the key information analysis unit 8-3 of the computer 2-3 determines that the own device is a group member because the node number “2” is described (Step S1). (Yes in S6), the process proceeds to step S7. The same applies to the computer 2-4.

  The process of step S7 will be described separately for the case where the shared encryption key is encrypted with KEK when the key information is created and the case where the shared encryption key is encrypted with the key of each computer belonging to the group.

  When the shared encryption key is encrypted with KEK when creating the key information, the key information analysis unit (control unit 41) of the computer stores the own key in the decryption process of step S7 (see FIG. 4). When decrypting data (here, encrypted data of KEK) combined with a certain node number, a common key corresponding to the node number is identified by referring to previously stored information, and the common key Decrypt the encrypted data of KEK. For example, the key information analysis unit 8-2 of the computer 2-2 refers to the information stored in advance in step S7, and obtains the common key K4 corresponding to the node number “4” stored in the own device. Identify. Then, by using the common key K4, the data (KEK encrypted data) combined with the node number “4” is decrypted. For example, the key information analysis unit 8-3 of the computer 2-3 refers to the information stored in advance in step S7, and the common key corresponding to the node number “2” stored in the own device. Specify K2. Then, using the common key K2, the data (KEK encrypted data) combined with the node number “2” is decrypted. The same applies to the computer 2-4.

  If the shared encryption key is encrypted with the keys of the computers belonging to the group when the key information is created, the key information analysis unit (control unit 41) of the computer stores the key information analysis unit (control unit 41) of the computer in the decryption process of step S7. When decrypting the data (here, the encrypted data of the shared encryption key) combined with the node number being identified, the information stored in advance is referred to, the common key corresponding to the node number is identified, The encrypted data of the shared encryption key is decrypted with the common key. As a result, a shared encryption key is obtained.

  In addition, when performing encrypted communication between computers connected to the network 1 among group members, the communication data is encrypted and transmitted with the shared encryption key, and the received data is decrypted with the shared encryption key. That's fine. For example, communication data is transmitted and received in the same manner as in the second embodiment.

  Next, the effect of this embodiment will be described. In this embodiment, the group management server 5 and each computer share a key ring used for broadcast encryption as a common key. Then, the key information is generated using the common key of “the node closest to the root including the group members”, that is, the node closest to the root among the common keys held by computers not belonging to the group. To do. Therefore, even when a group is formed by a very large number of computers and a group key is shared by such a large number of computers, the amount of key information can be reduced.

  In the fourth embodiment, the key information generation unit and the key information transmission unit are realized by the control unit 31 of the group management server 5. The key information sharing means and the decryption means are realized by the control unit 41 of the computer. The common key storage means is realized by the storage device 32 of the group management server 5. The own device common key storage means is realized by the storage device 42 of the computer.

  The above key information is an example, and the name of the tag used for the key information is not limited to the above example. The key information may be described in a language other than XML.

  The cryptographic communication system of each embodiment as described above is, for example, a peer-to-peer content distribution service in which a service administrator fixes a peer served and a peer that does not have a group key cannot download content. Applied to various content distribution services.

  Moreover, the encryption communication system of each embodiment as described above is also applied to, for example, a sensor network that performs secret communication between a server and a node and secret communication between nodes.

Embodiment 5 FIG.
FIG. 13 is a block diagram showing a fifth embodiment of the cryptographic communication system according to the present invention. Components similar to those in the fourth embodiment are denoted by the same reference numerals as those in FIG. 9, and detailed description thereof is omitted. In the fifth embodiment, the cryptographic communication system includes a group management server 5 and computers 2-1 to 2-5. A computer 2-5 illustrated in FIG. 13 is the same computer as the other computers 2-1 to 2-4. Although FIG. 13 shows five computers, the number of computers is not limited to five. In the present embodiment, the LKH (Logical Key Hierarchy) method is applied to the cryptographic communication system. This LKH method changes a part of node keys of a tree structure when the frequency of replacement of group members is high in broadcast encryption. This eliminates the need for generating a large-scale tree structure in advance even when the group management server manages a group whose member replacement frequency is high. In the description of the present embodiment, a key corresponding to a tree-structured node may be referred to as a node key.

  Here, a case where each device holds a common key as described below will be described as an example. The computer 2-1 holds secret keys (common keys) K0, K1, and K3 as secret keys of the computer 2-1. The computer 2-2 holds secret keys (common keys) K0, K1, and K4 as secret keys of the computer 2-2. The computer 2-3 holds secret keys (common keys) K0, K2, and K5 as secret keys of the computer 2-3. The computer 2-4 holds secret keys (common keys) K0, K2, K6 as secret keys of the computer 2-4. The computer 2-5 holds secret keys (common keys) K0 ', K2', K6 'as secret keys of the computer 2-5. The group management server 5 holds a secret key (common key) α as a secret key of the group management server 5.

  Further, the group management server 5 holds the computer secret keys K0 to K6 and K0 ', K2' and K6 '. That is, the group management server 5 and the computers 2-1 to 2-4 share a secret key (common key) K0 in secret. The group management server 5 and the computers 2-1 and 2-2 share a secret key (common key) K1 in secret. The group management server 5 and the computers 2-3 and 2-4 secretly share a secret key (common key) K2. The group management server 5 and the computer 2-1 share a secret key (common key) K3 in secret. The group management server 5 and the computer 2-2 share a secret key (common key) K4 in secret. The group management server 5 and the computer 2-3 share a secret key (common key) K5 in secret. The group management server 5 and the computer 2-4 share a secret key (common key) K6 in secret. The group management server 5 and the computer 2-5 share secret keys (common keys) K0 ', K2', and K6 'in secret.

  Each of the computers 2-1 to 2-5 holds the secret key α of the group management server 5. That is, the group management server 5 and the computers 2-1 to 2-5 share the secret key (common key) α in secret.

  Further, the group management server 5 holds the shared encryption key g1 as in the fourth embodiment. When the shared encryption key is encrypted with KEK when creating the key information, the group management server 5 also holds KEK.

  Similar to the fourth embodiment, in the fifth embodiment, it is assumed that the group management server 5 secretly shares a secret key (common key) with each computer in advance. As an aspect of secretly sharing the common key in advance as described above, for example, a management entity of the group management server (for example, an organization such as CA or the like) may generate a secret key shared secretly and The common key is stored in a tamperable memory (for example, an IC card), the memory is sent to a subject (person) who manages the computer (for example, mail), and the person who receives the memory directly sends it to the computer. There are embodiments such as incorporation. The aspect shown here is an example, and the common key may be secretly shared in advance by another aspect. Since the common key is secretly shared in advance, the group management server 5 does not receive the common key via the network 1. Further, in the present embodiment, the storage device 32 of the group management server 5 stores in advance tree-structured data indicating the hierarchy of the computer common keys (K0 to K6 in this example). The tree structure data may be stored in the storage device 32 in advance, for example, through the input unit 34 and the control unit 31 inputs the tree structure data. The tree-structured data indicating the hierarchy of the common key has a common key (K0 in this example) shared by the computers 2-1 to 2-4 as a root, and each of the computers 2-1 to 2-4 has a root. This is data in which a common key (K3, K4, K5, K6 in this example) held without overlapping with other computers is used as a leaf. That is, the common key hierarchy is a hierarchy in which a common key shared by each computer is a root, and a common key stored by each computer without overlapping with other computers is a leaf. In the tree structure data, identification information (hereinafter referred to as a node number) is specified for each root, each node, and each leaf. In the tree structure data, it is determined which computer each leaf corresponds to.

  The generic name for roots, leaves, and nodes is referred to as a node.

  FIG. 14 is an explanatory diagram showing an example of tree-structured data indicating the hierarchy of the common key. In this example, the common key K0 shared by the computers 2-1 to 2-4 is the root. Further, the common key K3 held by the computer 2-1 and not held by other computers becomes a leaf. Similarly, K4, K5, and K6 are also leaves. The common key K1 held by the computers 2-1 and 2-2 and not held by the computers 2-3 and 2-4 is a node between the root (K0) and the leaves (K3 and K4). It becomes. Similarly, the common key K2 is a node between the root (K0) and the leaves (K5, K6). Further, as shown in FIG. 14, node numbers are determined for each root, each node, and each leaf. In this example, it is assumed that the node numbers of the nodes K0 to K6 are “0” to “6”. As shown in FIG. 14, in the tree-structured data, the leaves K3, K4, K5, and K6 are leaves corresponding to the computers 2-1, 2-2, 2-3, and 2-4, respectively. Information is included.

  The tree-structured data also describes a common key held by a computer that does not belong to a group. For example, the computers 2-2, 2-3, and 2-4 form a group, and the common keys K0 to K2 and K4 to K6 held by the three computers are stored in the group management server 5 in advance. Even in this case, the tree-structured data also describes the common key K3 held by the computer 2-1 that does not belong to the group.

  However, in the following description, a case where the computers 2-2, 2-3, and 2-4 have been selected as the computers belonging to the group, and then the computer 2-4 is invalidated and a computer 2-5 is newly added. Explained as an example. Therefore, as shown in FIG. 14, the nodes K0, K2, and K6 in the tree structure are replaced with nodes K0 ', K2', and K6 'indicating the keys held by the computer 2-5. The information indicating that the leaf K6 is a leaf corresponding to the computer 2-4 is replaced with information indicating that the leaf K6 'is a leaf corresponding to the computer 2-5. Note that the node number does not change even if the node is replaced.

  Further, in this embodiment, each of the computers 2-1 to 2-5 holds in advance information indicating the node number of the common key held by itself and which common key the node number corresponds to. To do. Each computer 2-1 to 2-5 receives, for example, information indicating a node number and a common key corresponding to the node number from the group manager, and stores the input information. What is necessary is just to memorize | store in the apparatus 42 (refer FIG. 3). For example, the computer 2-1 that holds the common keys K0, K1, and K3 stores the node numbers “0”, “1”, and “3”. Similarly, the computer 2-2 stores node numbers “0”, “1”, and “4”. The computer 2-3 stores the node numbers “0”, “2”, and “5”. The computer 2-4 stores the node numbers “0”, “2”, and “6”. The computer 2-5 stores the node numbers “0”, “2”, and “6”. In this example, the post-computer 2-4 is invalidated and a computer 2-5 is newly added. Therefore, the computer 2-5 stores the node numbers “0”, “2”, and “6”. Each computer also stores information indicating to which common key each node number corresponds.

  As described above, here, the computers 2-2, 2-3, and 2-4 have been selected as computers belonging to the group, and then the computer 2-4 is invalidated and a computer 2-5 is newly added. A case will be described as an example. In step S1, information indicating each computer belonging to the group (in this example, computers 2-2, 2-3, 2-5) is input, and the control unit 31 of the group management server 5 determines which of the tree structure data. It is specified whether the leaf is a leaf corresponding to each computer belonging to the group. In step S1, the group management server 5 receives information about the computer to be invalidated (computer 2-4 in this example) and a computer newly added in place of the invalidated computer (this example). Then, the information of the computer 2-5) is input. Based on the input information, the control unit 31 of the group management server 5 includes a key that the newly added computer holds a node indicating the key of the computer to be invalidated that is included in the original tree structure data. Replace with a node indicating. In addition, the control unit 31 replaces the information of the computer (the computer to be invalidated) corresponding to the leaf before replacement with the information of the computer (newly added computer) corresponding to the leaf after replacement. For example, as shown in FIG. 14, the control unit 31 newly adds nodes K0, K2, and K6 (nodes indicating keys of the computer 2-4 to be invalidated) in the original tree structure to the computer 2- 5 is replaced with nodes K0 ′, K2 ′, K6 ′ indicating the keys held by the key 5. Further, the control unit 31 replaces information indicating that the leaf K6 is a leaf corresponding to the computer 2-4 with information indicating that the leaf K6 'is a leaf corresponding to the computer 2-5. However, the control unit 31 does not change the node number. In the present embodiment, after step S1, the process proceeds to step S3 without performing step S2.

  As already described, as a mode for generating key information, there are a mode in which a shared encryption key is encrypted with a key of each computer belonging to the group, and a mode in which the shared encryption key is encrypted with KEK. The key information creation processing (step S3) in each of these two modes will be described. In this embodiment, the key information includes node identification information (node number in this example) instead of the peer ID.

  In this embodiment, in step S3, first, after the node key is changed, in order to transmit a new node key to the computer belonging to the tree structure, encryption is performed with an effective contact key held by such a computer. Turn into. That is, in step S3, the control unit 31 of the group management server 5 has been replaced so that the key indicated by the replaced node in the tree-structured data can be held in the remaining computer without being invalidated. The key indicated by the node is encrypted with the node key held by the computer that remains without being invalidated (or the key that the computer that remains without being invalidated holds). Next, in order to represent the data obtained as a result of encrypting the node key with another node key as a character code, this data is converted (encoded) using, for example, BASE64. In the example shown in FIG. 14, the control unit 31 of the group management server 5 firstly has the node key K2 ′ closest to the leaf, excluding the leaf, to be held in the computer 2-3 among the node keys to be changed. Therefore, K2 ′ is encrypted with K5 (key held by the computer 2-3) and converted with BASE64 or the like. Next, since the node key K0 ′ closest to the leaf next to K2 ′ is to be held in all computers except the revoked computer 2-4, K0 ′ is replaced with K1 (computers 2-1, 2). -2) encrypted and converted with BASE64 or the like, and those encrypted with K2 '(key to be held by the computer 2-3) and converted with BASE64 or the like are created separately.

  Next, when the key information is created by encrypting the shared encryption key with KEK, the control unit 31 of the group management server 5 encrypts KEK with the common key of the node closest to the root including the group members. Note that “the node closest to the root including the group member” means “the node closest to the root among the common keys held by computers not belonging to the group”. Here, the node is not limited to a node but may be a leaf or a root. In addition, the control unit 31 encrypts KEK with such a node common key, and describes the encrypted data and the node number of the node together with the kek tag. In the first embodiment and the third embodiment, the combination of the peer ID and the encrypted KEK is described together with the kek tag. However, in this embodiment, the node number and the common key of the node number are described. This is different from the first embodiment and the third embodiment in that the combination with the KEK encrypted in the above is described together with the kek tag. The generation mode of the signature data is the same as that of the third embodiment. The other points in step S3 are the same as those in the case where the shared encryption key is encrypted with KEK in the first embodiment.

  FIG. 15 is an explanatory diagram showing an example of key information generated in this example. In this example, the computers 2-2, 2-3, and 2-5 belong to a group, and the computers 2-1 and 2-4 do not belong to a group. The control unit 31 refers to the data of the tree structure, and is “closest to the root among the nodes closest to the root including the group members”, that is, “excluding the common key held by the computer that does not belong to the group”. Determine "node". Here, the keys held by the computer include keys that can be held by the computer (keys to be held by the computer). Referring to the tree structure shown in FIG. 14, regarding the computer 2-2, except for the common key K 0 ′ that can be held by the computer 2-1 that does not belong to the group and K 1 and K 3 held by the computer 2-1. The node closest to the root is K4 (node number “4”). As for the computers 2-3 and 2-5, except for the common key K0 ′ that can be held by the computer 2-1 that does not belong to the group and the K1 and K3 held by the computer 2-1, it is most rooted. The nearby node is K2 ′ (node number “2”). Therefore, the control unit 31 encrypts KEK with the new common key K2 ′ corresponding to the node number “2”, converts the encrypted data with BASE64 or the like, and describes the conversion result in combination with the node number “2”. (Refer to the description on the eighth line shown in FIG. 15). Similarly, the control unit 31 encrypts KEK with the common key K4 corresponding to the node number “4”, converts the encrypted data with BASE64 or the like, and describes the conversion result in combination with the node number “4”. (See description on line 8 shown in FIG. 15). These descriptions are described together with the kek tag. Next, the control unit 31 invalidates the above-described encryption (that is, the key indicated by the replaced node) in order to transmit the new node key to the computers belonging to the tree structure even after the node key is changed. Encrypts with the node key held by the computer that remains without being converted (or the key that the computer that remains without being invalidated holds), and describes the information converted with Base64 together with the rev tag To do. The information described with the rev tag includes the node number at which the node key was changed, the node number of the node key that encrypted the changed node key, and the node key corresponding to the node number. This is a combination of data encrypted and converted with BASE64. “2: 5: 42af” illustrated in FIG. 15 indicates that the node key K2 with the node number 2 is changed and the new node key K2 ′ is encrypted with the node key K5 with the node number 5. "42af" indicates that data obtained by encrypting K2 'with K5 is converted by BASE64 or the like. Similarly, in “0: 2: ef3f” illustrated in FIG. 15, the node key K0 with the node number 0 is changed, and the new node key K0 ′ is encrypted with the node key K2 ′ with the node number 2. "Ef3f" indicates that data obtained by encrypting K0 'with K2' is converted by BASE64 or the like. Similarly, “0: 1: abcd” illustrated in FIG. 15 indicates that the node key K0 with the node number 0 is changed and the new node key K0 ′ is encrypted with the node key K1 with the node number 1. "Abcd" indicates that data obtained by encrypting K0 'with K1 is converted by BASE64 or the like. The control unit 31 describes such a rev tag. Other points (encryption of the common encryption key, generation of signature data, and the like) are the same as those in the third embodiment, and thus description thereof is omitted.

  16 and 17 are explanatory diagrams illustrating modifications of the key information generated in this example. In this example, the new node key information is managed as other key information as shown in FIG. 17 (hereinafter, this key information is referred to as node key information), and then the rev tag as shown in FIG. Describes Key_Location for acquiring node key information. This Key_Location is information for the computer to acquire the node key information, like the Key_Location described in the second embodiment. For example, the URI (Uniform Resource Indicator) of the node key information may be Key_Location. In this case, for example, when the group management server 5 generates the node key information, the node key information includes the URI information, and the group management server 5 itself holds the node key information, so that the node key information is represented by the URI. It should be possible to access to. The URI may be a URI designating a device other than the group management server 5, and the group management server 5 may transmit node key information to the device and store it. Alternatively, a computer that transmits communication data may determine a URI, and the computer may transmit and store node key information to a device specified by the URI. In addition, when each computer that transmits and receives communication data shares node key information using a peer-to-peer file sharing system such as DHT (Distributed Hash Table), the hash value of the node key information is set as Key_Location. It may be used. The information described together with the rev tag shown in FIG. 17 includes the node number in which the node key is changed and the node number of the node key obtained by encrypting the changed node key, as described with reference to FIG. And the data obtained by encrypting the changed node key with the node key corresponding to the node number and converting it with BASE64 or the like. “2: 5: 42af” illustrated in FIG. 17 indicates that the node key K2 with the node number 2 is changed and the new node key K2 ′ is encrypted with the node key K5 with the node number 5. "42af" indicates that data obtained by encrypting K2 'with K5 is converted by BASE64 or the like. Similarly, in “0: 2: ef3f” illustrated in FIG. 17, the node key K0 with the node number 0 is changed, and the new node key K0 ′ is encrypted with the node key K2 ′ with the node number 2. "Ef3f" indicates that data obtained by encrypting K0 'with K2' is converted by BASE64 or the like. Similarly, “0: 1: abcd” illustrated in FIG. 17 indicates that the node key K0 with the node number 0 is changed and the new node key K0 ′ is encrypted with the node key K1 with the node number 1. "Abcd" indicates that data obtained by encrypting K0 'with K1 is converted by BASE64 or the like. Other points (encryption of the common encryption key, generation of signature data, and the like) are the same as those in the third embodiment, and thus description thereof is omitted.

  Further, in this embodiment, when the shared encryption key is encrypted with the keys of the computers belonging to the group, in step S3, the control unit 31 of the group management server 5 selects the node closest to the root including the group member. Encrypt the shared encryption key with the common key. That is, the control unit 31 encrypts the shared encryption key by using the common key of the node closest to the root among the common keys held by the computers not belonging to the group. A new node key is used as the common key for this node. Then, the control unit 31 describes the node number of the node and the data obtained by encrypting the shared encryption key together with the kek tag. The control unit 31 derives such a combination of the node number and the data obtained by encrypting the shared encryption key for each computer belonging to the group and describes it together with the kek tag. Finally, in order to transmit the new node key to the computers belonging to the tree structure even after the node key is changed, the above-described encryption (that is, the key indicated by the replaced node remains without being invalidated). The node key held by the computer (or the encryption process performed by the computer that remains without being invalidated) is performed, and the information converted by Base64 is described together with the rev tag, or FIG. A new node key information as shown in Fig. 6 is generated, and the location of the node key information is described together with the rev tag. The generation mode of the signature data is the same as that of the third embodiment. The other points are the same as in the first embodiment when the shared encryption key is encrypted with the keys of the computers belonging to the group.

  Steps S4 and S5 are the same as those in the third embodiment.

  In the determination process of step S6 (see FIG. 4), the key information analysis unit (control unit 41) of the computer determines whether or not the node number that matches the node number stored in advance in the own device is described in the kek tag. Therefore, it is determined whether or not the own device is a group member. If the node number that matches the node number stored in advance in the own device is described in the kek tag, it is determined that the own device is a group member. If the node number that matches the node number stored in advance in the own device is not described in the kek tag, it is determined that the own device is not a group member. For example, in this example, the computer 2-1 stores node numbers “0”, “1”, and “3”. When the key information analysis unit 8-1 of the computer 2-1 refers to the key information illustrated in FIG. 15, none of the node numbers “0”, “1”, and “3” are described in the kek tag. Then, it is determined that the own device is not a group member (No in step S6), and the process is terminated.

  For example, the computer 2-2 stores the node numbers “0”, “1”, and “4”. When the key information illustrated in FIG. 15 is referred to, the key information analysis unit 8-2 of the computer 2-2 determines that the own device is a group member because the node number “4” is described (Step S1). (Yes in S6), the process proceeds to step S7. Similarly, the computer 2-3 stores node numbers “0”, “2”, and “5”. When the key information analysis unit 8-3 of the computer 2-3 refers to the key information illustrated in FIG. 15, since the node number “2” is described, the key information analysis unit 8-3 determines that the own device is a group member (Step S1). (Yes in S6), the process proceeds to step S7. The same applies to the calculator 2-5.

  The process of step S7 will be described separately for the case where the shared encryption key is encrypted with KEK when the key information is created and the case where the shared encryption key is encrypted with the key of each computer belonging to the group.

  If the shared encryption key is encrypted with KEK when creating the key information, the key information analysis unit (control unit 41) of the computer first refers to the rev tag in the decryption process of step S7 (see FIG. 4). In the case of the format illustrated in FIG. 16, after the node key information is downloaded first, it is confirmed whether or not the node key held by itself has been updated. Decrypt and store the new node key using the other node key. For example, it is assumed that the key information analysis unit (control unit 41) of the computer 2-3 shares the key information illustrated in FIG. In this case, the key information analysis unit 8-3 of the computer 2-3 refers to the description “2: 5: 42af” and updates the node key held by itself (K2 corresponding to the node number 2). Judgment is made and “42af” is converted with BASE64 or the like. Further, the data is decrypted with the key K5 (key held by the computer 2-3) corresponding to the node number 5, and the key K2 'obtained as a result is stored in the storage device. Further, the key information analysis unit 8-3 of the computer 2-3 refers to the description “0: 2: ef3f” and determines that the node key held by itself (K0 corresponding to node number 0) has been updated. Then, convert “0: 2: ef3f” with BASE64. Further, the data is decrypted with the key K2 'corresponding to the node number 2, and the resulting key K0' is stored in the storage device. Here, the case where the computer 2-3 obtains the key K2 'and further obtains the key K0' with reference to the description "0: 2: ef3f" has been described. The computers 2-1 and 2-2 may decrypt K 0 ′ with reference to the description “0: 1: abcd” using the key K 1 held by itself. If the new node key cannot be decrypted with the node key held by the user, the computer is an invalidated terminal, and the process is terminated. For example, the key information analysis unit (control unit 41) of the computer 2-4 refers to the description of the rev tag illustrated in FIG. 15 and determines that it does not hold a key for decrypting the encrypted key. Then, the process ends. Next, the key information analysis unit (control unit 41) of the computer stores in advance when decrypting data (here, encrypted data of KEK) combined with the node number stored in the own device. With reference to the information, a common key corresponding to the node number is specified, and the KEK encrypted data is decrypted with the common key. For example, the key information analysis unit 8-2 of the computer 2-2 refers to the information stored in advance in step S7, and obtains the common key K4 corresponding to the node number “4” stored in the own device. Identify. Then, by using the common key K4, the data (KEK encrypted data) combined with the node number “4” is decrypted. For example, the key information analysis unit 8-5 of the computer 2-5 refers to the information stored in advance in step S7, and the common key corresponding to the node number “2” stored in the own device. Specify K2 ′. Then, using the common key K2 ', the data combined with the node number "2" (KEK encrypted data) is decrypted. The same applies to the computer 2-3.

  If the shared encryption key is encrypted with the keys of the computers belonging to the group when the key information is created, the key information analysis unit (control unit 41) of the computer stores the key information analysis unit (control unit 41) of the computer in the decryption process of step S7. When decrypting the data (here, the encrypted data of the shared encryption key) combined with the node number being identified, the information stored in advance is referred to, the common key corresponding to the node number is identified, The encrypted data of the shared encryption key is decrypted with the common key. As a result, a shared encryption key is obtained.

  In addition, when performing encrypted communication between computers connected to the network 1 among group members, the communication data is encrypted and transmitted with the shared encryption key, and the received data is decrypted with the shared encryption key. That's fine. For example, communication data is transmitted and received in the same manner as in the second embodiment.

  Next, the effect of this embodiment will be described. In the present embodiment, using a LKH (Logical Key Hierarchy) method, some node keys of the tree structure are changed when the frequency of replacement of group members is high. As a result, when building a tree structure used for broadcast encryption (Broadcast Encryption), it is only necessary to consider the scale of the group without considering the replacement of group members. It is not necessary to generate a simple tree structure in advance.

  In the fifth embodiment, the key information generation unit and the key information transmission unit are realized by the control unit 31 of the group management server 5. The key information sharing means and the decryption means are realized by the control unit 41 of the computer. The common key storage means is realized by the storage device 32 of the group management server 5. The own device common key storage means is realized by the storage device 42 of the computer.

  The above key information is an example, and the name of the tag used for the key information is not limited to the above example. The key information may be described in a language other than XML.

  The cryptographic communication system of each embodiment as described above is, for example, a peer-to-peer content distribution service in which a service administrator fixes a peer served and a peer that does not have a group key cannot download content. Applied to various content distribution services.

  Moreover, the encryption communication system of each embodiment as described above is also applied to, for example, a sensor network that performs secret communication between a server and a node and secret communication between nodes.

  The present invention is applicable to a file sharing system in a peer-to-peer network that performs encrypted communication between information processing apparatuses. Further, in order to realize access control in a specific sensor node group, the present invention can also be applied to a sensor network in which sensor nodes share a group key.

It is a block diagram which shows 1st Embodiment of the encryption communication system by this invention. It is a block diagram which shows the structural example of a group management server. It is a block diagram which shows the structural example of a computer (information processing apparatus). It is a flowchart which shows the example of a process progress when providing a shared encryption key from a group management server to a computer. It is explanatory drawing which shows the example of key information. It is explanatory drawing which shows the example of a format of communication data. It is a flowchart which shows the example of process progress of the computer which received communication data. It is a block diagram which shows 3rd Embodiment of the encryption communication system by this invention. It is a block diagram which shows 4th Embodiment of the encryption communication system by this invention. It is explanatory drawing which shows the example of the data of the tree structure which shows the hierarchy of a common key. It is explanatory drawing which shows the example of key information. It is a block diagram which shows the structure of the conventional encryption communication system. It is a block diagram which shows 5th Embodiment of the encryption communication system by this invention. It is explanatory drawing which shows the example of the data of the tree structure which shows the hierarchy of the common key in 5th Embodiment. It is explanatory drawing which shows the example of the key information produced | generated in 5th Embodiment. It is explanatory drawing which shows the other example of the key information produced | generated in 5th Embodiment. It is explanatory drawing which shows the example of node key information in the case of using the key information illustrated in FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Communication network 2-1 to 2-5 Computer 4 Authentication server 5 Group management server 7-1 to 7-5 Key information sharing part 8-1 to 8-5 Key information analysis part

Claims (25)

An encryption communication system comprising a plurality of information processing devices, at least a part or all of which forms a group,
Key information generation that generates key information including group key encryption data obtained by encrypting a group key used when information processing apparatuses forming a group perform encrypted communication, and identification information of each information processing apparatus forming the group Means,
Key information transmitting means for transmitting the key information to only one information processing apparatus connected to the communication network via the communication network;
Each information processing device
Key information sharing means for sharing the key information with each information processing device connected to the communication network when receiving the key information transmitted by the key information transmitting means;
And decryption means for decrypting the group key from the group key encryption data included in the key information when the identification information of the own device is included in the key information shared with another information processing apparatus. A cryptographic communication system. Comprising public key storage means for storing the public key of each information processing apparatus forming a group,
Key information generating means generates group key encryption data obtained by encrypting a group key with a public key of each information processing device forming a group, and identifies the group key encryption data and each information processing device forming a group Generate key information including a combination with information,
Each information processing apparatus includes a secret key storage unit that stores a secret key of the own apparatus,
The encryption communication system according to claim 1, wherein the decryption means of each information processing device decrypts the group key from the group key encryption data combined with the identification information of the own device, using the secret key of the own device. Comprising public key storage means for storing the public key of each information processing apparatus forming a group,
Key information generation means generates a group key encryption data by encrypting a group key with a key encryption key, and encrypts the key encryption key with a public key of each information processing apparatus forming the group. Generating key encryption data, generating key information including the group key encryption data and a combination of identification information and key encryption key encryption data for each information processing device forming a group;
Each information processing apparatus includes a secret key storage unit that stores a secret key of the own apparatus,
The decryption means of each information processing device decrypts the key encryption key from the key encryption key encryption data combined with the identification information of the own device using the secret key of the own device, and uses the key encryption key. The encryption communication system according to claim 1, wherein the group key is decrypted from the group key encryption data. A common key storage means for storing a common key of each information processing apparatus forming a group;
The key information generation means generates group key encryption data obtained by encrypting a group key with a common key of each information processing apparatus forming a group, and identifies the group key encryption data and each information processing apparatus forming a group Generate key information including a combination with information,
Each information processing device includes own device common key storage means for storing a common key of the own device,
The encryption communication system according to claim 1, wherein the decryption means of each information processing device decrypts the group key from the group key encryption data combined with the identification information of the own device, using the common key of the own device. A common key storage means for storing a common key of each information processing apparatus forming a group;
Key information generation means generates a group key encrypted data by encrypting a group key with a key encryption key, and encrypts the key encryption key with a common key of each information processing apparatus forming the group. Generating key encryption data, generating key information including the group key encryption data and a combination of identification information and key encryption key encryption data for each information processing device forming a group;
Each information processing device includes own device common key storage means for storing a common key of the own device,
The decryption means of each information processing device decrypts the key encryption key from the key encryption key encryption data combined with the identification information of the own device using the common key of the own device, and uses the key encryption key. The encryption communication system according to claim 1, wherein the group key is decrypted from the group key encryption data. An encryption communication system comprising a plurality of information processing devices, at least a part or all of which forms a group,
Stores a common key of each information processing apparatus forming a group and tree structure data indicating a hierarchy of the common key of each information processing apparatus and having node identification information for identifying each node. A common key storage means;
Generates group key encryption data by encrypting the group key with the common key of the node closest to the root, excluding the common key of the information processing device that does not belong to the group, and the group key encryption data and information that does not belong to the group Key information generating means for generating key information including a combination with the node identification information of the node closest to the root, excluding the common key of the processing device;
Key information transmitting means for transmitting the key information to only one information processing apparatus connected to the communication network via the communication network;
Each information processing device
Key information sharing means for sharing the key information with each information processing device connected to the communication network when receiving the key information transmitted by the key information transmitting means;
Decryption means for decrypting a group key from group key encryption data included in the key information when key information shared with another information processing apparatus includes node identification information corresponding to the common key of the own apparatus A cryptographic communication system characterized by comprising: Each information processing device includes own device common key storage means for storing a common key of the own device,
The decryption means of each information processing device is shared by the own device corresponding to the contact identification information when the node information corresponding to the common key of the own device is included in the key information shared with the other information processing devices. The encryption communication system according to claim 6, wherein a group key is decrypted from the group key encryption data combined with the contact identification information using a key. An encryption communication system comprising a plurality of information processing devices, at least a part or all of which forms a group,
Stores a common key of each information processing apparatus forming a group and tree structure data indicating a hierarchy of the common key of each information processing apparatus and having node identification information for identifying each node. A common key storage means;
Encrypt the group key with a key encryption key to generate group key encryption data, and encrypt the key encryption key with the common key of the node closest to the root, excluding the common key of information processing devices that do not belong to the group Key encryption key encryption data is generated, and the group key encryption data and the node identification information of the node closest to the root and the key encryption key encryption data of the information processing device not belonging to the group are excluded. Key information generating means for generating key information including a combination;
Key information transmitting means for transmitting the key information to only one information processing apparatus connected to the communication network via the communication network;
Each information processing device
Key information sharing means for sharing the key information with each information processing device connected to the communication network when receiving the key information transmitted by the key information transmitting means;
Decryption means for decrypting a group key from group key encryption data included in the key information when key information shared with another information processing apparatus includes node identification information corresponding to the common key of the own apparatus A cryptographic communication system characterized by comprising: Each information processing device includes own device common key storage means for storing a common key of the own device,
The decryption means of each information processing device is shared by the own device corresponding to the contact identification information when the node information corresponding to the common key of the own device is included in the key information shared with the other information processing devices. The key encryption key is decrypted from the key encryption key encryption data combined with the contact identification information using the key, and the group key is decrypted from the group key encryption data using the key encryption key. The cryptographic communication system described. The key information generation means
When information indicating an information processing device to be invalidated in a group and information indicating an information processing device newly added in place of the information processing device to be invalidated are input, of the nodes of the tree structure data The node indicating the common key of the information processing device to be invalidated is replaced with the node indicating the common key of the information processing device to be newly added, key information is generated again, and the key information is At the time of generation, the common key indicated by the replaced node is newly held by the common key already held by the information processing apparatus that remains without being invalidated or by the information processing apparatus that remains without being invalidated. The key information includes a combination of the node identification number indicating the encrypted common key, the node identification number indicating the encrypted common key, the node identification information indicating the common key used for encryption, and the data obtained by encryption,
  Each information processing device includes own device common key storage means for storing a common key of the own device,
The decoding means of each information processing device
Refer to the combination of the node identification number indicating the encrypted common key included in the key information, the node identification information indicating the common key used for encryption, and the data obtained by encryption, and When the node indicating the common key stored in the own device common key storage means is replaced, the encrypted data is decrypted with the common key used for the encryption, and the decrypted common key is Store in the device common key storage means
The cryptographic communication system according to any one of claims 6 to 9. Each time the key information generating unit updates the group key, it adds the group key encrypted data obtained by encrypting the group key to the key information, and assigns version information corresponding to the group key encrypted data included in the key information,
Each information processing device
The communication contents to other information processing devices are encrypted with a group key, and communication data is generated by adding the version information corresponding to the group key to the encrypted data and the access information for accessing the key information, The encryption communication system according to any one of claims 1 to 10 , further comprising communication data transmission means for transmitting the communication data to another information processing apparatus. Each information processing device
When receiving communication data from another information processing apparatus, a determination unit that determines whether or not the group key corresponding to the version information added to the communication data is held,
When it is determined that the key information sharing means does not hold a group key corresponding to the version information added to the communication data, the key information sharing means accesses the key information by the access information added to the communication data,
The cryptographic communication system according to claim 11 , wherein the decrypting means decrypts a group key from group key encrypted data to which the version information is assigned in the key information. A server including key information transmitting means;
Some information processing devices relay communication between other information processing devices and the server,
The some servers store key information;
The other information processing apparatus, when it becomes a state that is not connected to a communication network to a state connected to the communication network, claims 1 to 12 for receiving the key information from the portion of the information processing apparatus The encryption communication system of any one of these. A key sharing method applied to an encryption communication system provided with a plurality of information processing devices, at least a part or all of which forms a group,
Key information including group key encryption data obtained by encrypting a group key used when the information processing apparatuses forming the group perform encrypted communication by the key information generation unit, and identification information of each information processing apparatus forming the group Produces
Key information transmitting means transmits the key information to only one information processing apparatus connected to the communication network via the communication network,
When the key information sharing means of the one information processing apparatus receives the key information, the key information is shared with each information processing apparatus connected to the communication network,
When the decryption means of each information processing device includes the identification information of its own device in the key information shared with other information processing devices, the decryption means decrypts the group key from the group key encryption data included in the key information. A key sharing method characterized by: A key sharing method applied to an encryption communication system provided with a plurality of information processing devices, at least a part or all of which forms a group,
The common key storage means is a tree structure data indicating a common key of each information processing device forming a group and a hierarchy of the common key of each information processing device, and node identification information for identifying each node is defined. Store structural data,
Key information generating means generates group key encrypted data obtained by encrypting the group key with the common key of the node closest to the root, excluding the common key of the information processing apparatus not belonging to the group, and the group key encrypted data and , Generating key information including a combination with the node identification information of the node closest to the root, excluding the common key of the information processing device not belonging to the group,
Key information transmitting means transmits the key information to only one information processing apparatus connected to the communication network via the communication network,
When the key information sharing means of the one information processing apparatus receives the key information, the key information is shared with each information processing apparatus connected to the communication network,
When the decryption means of each information processing device includes the node identification information corresponding to the common key of the own device in the key information shared with the other information processing device, the group key encryption included in the key information A key sharing method characterized by decrypting a group key from data. A key sharing method applied to an encryption communication system provided with a plurality of information processing devices, at least a part or all of which forms a group,
The common key storage means is a tree structure data indicating a common key of each information processing device forming a group and a hierarchy of the common key of each information processing device, and node identification information for identifying each node is defined. Store structural data,
The key information generation means generates the group key encrypted data by encrypting the group key with the key encryption key, and uses the common key of the node closest to the root among the information processing devices that do not belong to the group. A key encryption key encryption data obtained by encrypting an encryption key is generated, and the node identification information and the key of the node closest to the root among the group key encryption data and the common key of the information processing apparatus not belonging to the group Generate key information including a combination of encryption key encryption data,
Key information transmitting means transmits the key information to only one information processing apparatus connected to the communication network via the communication network,
When the key information sharing means of the one information processing apparatus receives the key information, the key information is shared with each information processing apparatus connected to the communication network,
When the decryption means of each information processing device includes the node identification information corresponding to the common key of the own device in the key information shared with the other information processing device, the group key encryption included in the key information A key sharing method characterized by decrypting a group key from data. The own device common key storage means of each information processing device stores the common key of the own device,
The key information generation means
When information indicating an information processing device to be invalidated in a group and information indicating an information processing device newly added in place of the information processing device to be invalidated are input, of the nodes of the tree structure data The node indicating the common key of the information processing device to be invalidated is replaced with the node indicating the common key of the information processing device to be newly added, key information is generated again, and the key information is At the time of generation, the common key indicated by the replaced node is newly held by the common key already held by the information processing apparatus that remains without being invalidated or by the information processing apparatus that remains without being invalidated. The key information includes a combination of the node identification number indicating the encrypted common key, the node identification number indicating the encrypted common key, the node identification information indicating the common key used for encryption, and the data obtained by encryption,
The decoding means of each information processing device
Refer to the combination of the node identification number indicating the encrypted common key included in the key information, the node identification information indicating the common key used for encryption, and the data obtained by encryption, and When the node indicating the common key stored in the own device common key storage means is replaced, the encrypted data is decrypted with the common key used for the encryption, and the decrypted common key is Store in the device common key storage means
The key sharing method according to claim 15 or 16. A key providing device applied to a cryptographic communication system including a plurality of information processing devices, at least a part or all of which forms a group,
Key information generation that generates key information including group key encryption data obtained by encrypting a group key used when information processing apparatuses forming a group perform encrypted communication, and identification information of each information processing apparatus forming the group Means,
A key providing apparatus comprising: key information transmitting means for transmitting the key information to only one information processing apparatus connected to the communication network via the communication network. A key providing device applied to a cryptographic communication system including a plurality of information processing devices, at least a part or all of which forms a group,
Stores a common key of each information processing apparatus forming a group and tree structure data indicating a hierarchy of the common key of each information processing apparatus and having node identification information for identifying each node. A common key storage means;
Generates group key encryption data by encrypting the group key with the common key of the node closest to the root, excluding the common key of the information processing device that does not belong to the group, and the group key encryption data and information that does not belong to the group Key information generating means for generating key information including a combination with the node identification information of the node closest to the root, excluding the common key of the processing device;
A key providing apparatus comprising: key information transmitting means for transmitting the key information to only one information processing apparatus connected to the communication network via the communication network. A key providing device applied to a cryptographic communication system including a plurality of information processing devices, at least a part or all of which forms a group,
Stores a common key of each information processing apparatus forming a group and tree structure data indicating a hierarchy of the common key of each information processing apparatus and having node identification information for identifying each node. A common key storage means;
Encrypt the group key with a key encryption key to generate group key encryption data, and encrypt the key encryption key with the common key of the node closest to the root, excluding the common key of information processing devices that do not belong to the group Key encryption key encryption data is generated, and the group key encryption data and the node identification information of the node closest to the root and the key encryption key encryption data of the information processing device not belonging to the group are excluded. Key information generating means for generating key information including a combination;
A key providing apparatus comprising: key information transmitting means for transmitting the key information to only one information processing apparatus connected to the communication network via the communication network. The key information generation means
When information indicating an information processing device to be invalidated in a group and information indicating an information processing device newly added in place of the information processing device to be invalidated are input, of the nodes of the tree structure data The node indicating the common key of the information processing device to be invalidated is replaced with the node indicating the common key of the information processing device to be newly added, key information is generated again, and the key information is At the time of generation, the common key indicated by the replaced node is newly held by the common key already held by the information processing apparatus that remains without being invalidated or by the information processing apparatus that remains without being invalidated. The key information includes a combination of the node identification number indicating the encrypted common key, the node identification information indicating the common key used for encryption, and the data obtained by encryption.
21. A key providing apparatus according to claim 19 or claim 20. A key providing program mounted on a computer applied to an encryption communication system including a plurality of information processing apparatuses, at least a part or all of which forms a group,
In the computer,
Key information generation that generates key information including group key encryption data obtained by encrypting a group key used when information processing apparatuses forming a group perform encrypted communication, and identification information of each information processing apparatus forming the group A key providing program for executing processing and key information transmission processing for transmitting the key information to only one information processing apparatus connected to the communication network via the communication network. A tree that is applied to an encryption communication system including a plurality of information processing devices, at least a part or all of which forms a group, and shows a common key of each information processing device forming a group and a hierarchy of common keys of each information processing device A key providing program mounted on a computer having common key storage means for storing tree structure data in which node identification information for identifying each node is determined, which is structure data,
In the computer,
Generates group key encryption data by encrypting the group key with the common key of the node closest to the root, excluding the common key of the information processing device that does not belong to the group, and the group key encryption data and information that does not belong to the group A key information generating process for generating key information including a combination with node identification information of a node closest to the root, excluding the common key of the processing device; and the key information is transmitted to the communication network via the communication network. A key providing program for executing key information transmission processing to be transmitted to only one connected information processing device . A tree that is applied to an encryption communication system including a plurality of information processing devices, at least a part or all of which forms a group, and shows a common key of each information processing device forming a group and a hierarchy of common keys of each information processing device A key providing program mounted on a computer having common key storage means for storing tree structure data in which node identification information for identifying each node is determined, which is structure data,
In the computer,
Encrypt the group key with a key encryption key to generate group key encryption data, and encrypt the key encryption key with the common key of the node closest to the root, excluding the common key of information processing devices that do not belong to the group Key encryption key encryption data is generated, and the group key encryption data and the node identification information of the node closest to the root and the key encryption key encryption data of the information processing device not belonging to the group are excluded. Key information generation processing for generating key information including a combination, and key information transmission processing for transmitting the key information to only one information processing apparatus connected to the communication network via the communication network Key providing program to let you. On the computer,
When information indicating an information processing device to be invalidated in a group and information indicating an information processing device newly added in place of the information processing device to be invalidated are input, of the nodes of the tree structure data The node indicating the common key of the information processing device to be invalidated is replaced with the node indicating the common key of the information processing device to be newly added, and then the key information generation process is executed again.
In the key information generation process, the common key indicated by the replaced node is newly held by the common key already held by the information processing apparatus that remains without being invalidated or by the information processing apparatus that remains without being invalidated The key information is a combination of the node identification number indicating the encrypted common key, the node identification information indicating the common key used for encryption, and the data obtained by encryption. To include
The key providing program according to claim 23 or 24.

Images